5 Ways to Enhance your Information Protection Strategy Using Microsoft Purview

In an age where data volumes are increasing day by day, it’s only natural for organisations to want a solution that incorporates solid security and protection capabilities for both data on-premises and in the cloud. Microsoft 365 enables organisations to secure their data through a solution called Microsoft Purview, an information protection and data governance suite of tools that helps discover, classify and protect data.

In the last 5 years, data has exploded with the introduction of more cloud-based technologies. According to Statista, 64 Zettabytes of data were created, captured, copied and consumed in 2020 with a projected growth to 188 Zettabytes by 2025. One zettabyte is equal to around a billion terabytes.

With organisations’ volumes of data continuing to grow, it makes it all the more important for organisations to properly manage their data and make sure governance controls are in place to protect sensitive information. Failing to deploy a proper information protection strategy can increase the risk of data breaches and result in organisations failing to meet compliance with regulatory requirements.

This exponential growth correlates with the mass adoption of cloud-based platforms, which provide a way for organisations to collaborate effectively. However, this has introduced risk, as a lot of these platforms do not establish information protection by default.

Microsoft Purview is a best-in-class suite of tools that can help you discover, classify and protect your data, with a specific focus on sensitive information. By adopting some of the tools Microsoft Purview has to offer, you too can enhance your overall information protection strategy.

To help you understand what’s included within your current licencing model and the more advanced models, please review the following: More information on licensing and available features.

1. Classify your content using sensitivity labels

Sensitivity labels allow organisations to categorise their Microsoft 365 data in alignment with a data classification policy. Sensitivity labels will ideally be mapped to a data classification policy defined by the organisation or one defined by a governing body that they must adopt to meet compliance. Sensitivity labels act as digital stamps that remain perpetually attached to files. This means that once a file has been labelled, regardless of where it ends up, the sensitivity label will remain applied as well as any controls enforced by the label.

Sensitivity labels will typically follow a hierarchy determined by priority and will often include parent and child labels to identify the label’s classification as well as any additional controls they may enforce. For example, you may have a parent label named Confidential, which identifies the classification, and a child label named Internal Only, which defines the access controls enforced by the label. You should classify your content using sensitivity labels to help those interacting with the labelled files understand the sensitivity of the information contained within them and how they should handle the type of information.

Key benefits:

  • Encryption – Encryption can be applied via sensitivity labels to enforce access restrictions that control not only who can access the labelled content but also how they can interact with it. For example, you can provide unrestricted access to internal users, whereas all or specified external users can have read-only access. You can also modify the encryption settings to redact or modify access later.
  • Perpetual – Sensitivity labels are applied perpetually, meaning that even when labelled content is shared beyond your Microsoft 365 environment, the label remains attached, protecting it no matter where it ends up.
  • Content marking – The ability to mark labelled content is also possible with sensitivity labels, which allow you to customise a header, footer or watermark to be applied to some Office files and emails. Adding a visual reminder on a page, slide or email can really help remind users of the classification of the information they’re working with.
  • DLP condition – DLP (data loss prevention) can be a great way of preventing the accidental sharing of sensitive content. Typically, organisations will use sensitive information types to trigger these policies. However, utilising a sensitivity label defined by the content owner can often be more valuable.

Considerations and next steps: 

  • Before deploying sensitivity labels, make sure you have defined an internal data classification schema. This can then be mapped to sensitivity labels where required.
  • Try to use both parent and child labels so that your labels can be used to not only align with a classification but also highlight potential handling or access requirements.
  • Manually applying sensitivity labels can be burdensome, but fortunately, there is the ability to automatically apply them based on conditions such as detected sensitive information types and property values. In some scenarios, you can also recommend a label while a user is creating a file.
  • Take into consideration that sensitivity labels currently only have native support in Microsoft 365 for modern Office and PDF files. You may need to utilise additional tools, such as the AIP unified labelling client, to extend sensitivity labels to other file types.

2. Use data loss prevention to prevent the accidental sharing of sensitive information

The data loss prevention (DLP) service allows organisations to manage how their data is shared both internally and externally, with the intention of helping to prevent sensitive information from being shared inappropriately. It’s important to highlight that the objective of DLP is to prevent the accidental sharing of sensitive information and not necessarily prevent incidents where someone has maliciously attempted to share sensitive information.

DLP works by monitoring the way content in your tenant is shared with both internal and external recipients, allowing you to specify conditions to target specific types of content and apply actions that determine what happens when a user attempts to share that content.

DLP can be used to protect content across the following locations:

  • Exchange email
  • SharePoint sites
  • OneDrive accounts
  • Teams chat and channel messages
  • Windows 10, 11 and macOS Devices
  • Microsoft Defender for Cloud Apps
  • On-premises repositories
  • Power BI workspaces

Key benefits:

  • Reduce inappropriate sharing – Reducing the likelihood that users accidentally share sensitive information with the incorrect recipients is one of the main advantages of using DLP. Failing to do so can seriously impact an organisation’s reputation and in some cases, even its competitive advantage. For example, if an employee was to accidentally publicly share a document that contained an organisations secret recipe, process or design it could have a serious impact.
  • Audit and trigger alerts – Using DLP also keeps an audit trail of how and when sensitive information is being shared, which can be useful to review in the event of data leakage or to evaluate common practices across the organisation. DLP can also be used to trigger alerts to notify managers or administrators when the sharing of sensitive information is detected.

Considerations and next steps: 

  • When first implementing DLP, make sure to run policies in simulation mode to understand the impact they could have on your users before enforcing the policy, which, if not assessed properly, could hinder genuine sharing activities, deterring productivity.
  • Encourage good user behaviour by using notifications to raise awareness when people may be sending sensitive information to inappropriate recipients. DLP policies include the ability to display policy tips to users as well as send email notifications when they may be performing incorrect sharing practices.
  • Securing sensitive information is a high priority, but it is also important to not deter productivity. Providing people with the option to override DLP policies can be a useful way of allowing users to use their own judgement in scenarios where DLP is flagging false positives. The option to override can be paired with a requirement to provide a justification that is included in the audit logs.

3. Identify and protect your sensitive on-premises data with the information protection scanner

Although a lot of organisations have adopted Microsoft 365 to use cloud-based file repositories, a number of organisations still have large amounts of data stored on-premises. It is important to protect both your cloud and on-premises data, and the Microsoft Purview information protection scanner (formerly known as the Azure Information Protection scanner) is a great way to do this for your on-premises data.

The scanner is a data discovery and classification tool that can be used to evaluate and protect on-premises repositories such as file shares and SharePoint servers. The tool can be used to run a discovery task where you only identify and report on sensitive information or you can use it to enable DLP policies and apply sensitivity labels to the discovered information. You choose what sensitive information to look for by using out-of-the-box or custom sensitive information types (SITs). Sensitive information types (SITs) use pattern matching to identify common or custom information types. An example of some of the out-of-box types include passport, national insurance and driving licence numbers.

Key benefits:

  • Discovery insights – Using the scanner in discovery mode will provide you with some great insights into the volume of sensitive information within your on-premises environment, as well as the ability to recognise hot spots that store the most sensitive information.
  • Scalable – If you do have a large on-premises environment, the option to scale the scanner using multiple nodes may be beneficial and can improve the overall performance.
  • One-time operation & continuous – Scans can be triggered to run as a one-time operation to help support an immediate business case or used as a continuous process as part of a wider information protection strategy.
  • Audit logs integration – Additionally, the scanner supports a record type that feeds directly into the unified audit logs, logging an event for any protected files that are discovered or opened. These insights can be used to understand what sensitive information is stale or active and help to influence decisions regarding archiving, migration or deletion.

Considerations and next steps:

  • Use the scanner to complete a discovery job first and conduct a review of the results before enforcing the application of sensitivity labels and DLP policies. Reviewing the results first will allow you to make refinements, such as excluding locations or file types.
  • Microsoft has done some good work to help organisations easily identify common sensitive information types using out-of-the-box SITs. However, the real power comes from organisations being able to create their own custom SITs to cater for their own unique types of sensitive information. Such information types may contain regular expressions or keywords that relate to high-value internal information, such as project names or internal terminology. You should consider leveraging custom-sensitive information types to enhance your discovery.

4. Proper communication and training

Deploying tools to enhance your information protection strategy is great, but it is equally, if not more, important to make sure that those using the tools know how to do so properly and understand the importance of adopting the tools in the first place. Your information protection strategy should include provisions for sufficient training, so users are not only made aware of how to protect sensitive information but also why it is important to do so. Clearly communicating the importance of information protection is a key driver of adoption and will help to encourage good user behaviour.

Key benefits:

  • Better adoption – One big advantage of properly communicating a change is how significantly it can improve adoption resulting in an overall more effective solution.
  • Improved operational efficiencies – When everyone across your organisation has a good understanding of the preferred ways of working, you will be able to work in alignment and improve your operational efficiencies.
  • Reduction in data leak incidents – As a result of effective training and communication, your organisation will be better equipped to recognise situations in which sensitive information may become exposed and will be more likely to make the right choices regarding who and who not to share the information with.

Considerations and next steps:

  • Examine everyone’s skill set within the organisation to determine their level of competency, and then create tailored training and communication plans to help upskill those who require assistance.
  • If you have an existing information protection strategy, review your current communications and guidance and, if needed, provide a refresher.
  • Consider conducting pilot deployments to gather feedback to identify potential issues and address them before the deployment is introduced more widely.

5. Gain a better understanding of your sensitive information with content explorer

Content explorer is a reporting dashboard available in the Microsoft Purview compliance portal that allows organisations to understand where sensitive information is located within their Microsoft 365 environment. The dashboard allows you to utilise the categories below to identify where matching content is located across Exchange, OneDrive, SharePoint and Teams:

  • Sensitive information types
  • Sensitivity labels
  • Retention labels
  • Trainable classifiers

By location, you can view a summary of your sensitive information, or you can go deeper and examine individual items that have been marked as sensitive.

Key benefits:

  • Location insights – Using content explorer to review where sensitive information sits across your Microsoft 365 environment can be useful to help further refine your information protection strategy. Identifying highly utilised locations can help you decide where to introduce auto-labelling policies or default sensitivity labels.
  • Discover unknown sensitive information repositories – Due to the many indexed categories available, you may be able to identify sensitive information that you didn’t even know existed. For example, you can use the sensitive information types category to locate content that potentially contains personally identifiable information that, without content explorer you would have had no way of identifying.
  • Security trimmed – Because content explorer access is restricted by default, you don’t have to worry about private information being seen by unauthorised individuals. Microsoft Purview role groups with varying levels of access can be used to assign access. Access can be configured so that certain users can only view the total amount of content in each location, while others can view a preview of the content that has been marked as sensitive.

Considerations and next steps:

  • Determine who ought to have access to content explorer and consider the suitable level of access for each person.
  • Take advantage of the content explorer’s insights to steer your decisions when implementing advanced features like SharePoint library default sensitivity labels and auto-labelling policies.
  • Content flagged as matching sensitive information types might not always be accurate, which is why you should always validate the flagged content to make sure it is being categorised correctly.

Final thoughts

Securing sensitive information can seem like a daunting task for any organisation. Without a true understanding of your data landscape, securing it can be extremely difficult. There are many ways to secure information in Microsoft 365, but ultimately it comes down to utilising the correct tools and making sure users are educated on how to use them and the impact they have on protecting sensitive information. Always start with a small footprint to test, and ensure the security allows users to continue to operate as normal without inhibiting their productivity. Crawl, Walk, Run!

No matter your journey, we are here to help. If you’re looking for a partner with a track record in securing sensitive information and leading organisations on a journey to an enhanced information protection strategy or simply want to know more, then please feel free to get in touch.

Receive more blogs like this straight into your inbox

Sign up to receive our latest blogs and stay up to date with our latest news, Microsoft 365 updates, events, webinars and workshops.

Share This Article

Luke Greening
Previously designing and implementing large scale intranets (and everything that comes with it) to now delivering cutting edge content delivery platforms, I have extensive knowledge when it comes to People, Process and Technology. Data is at the heart of everything we do and I love taking our customers on a journey that exploits all the amazing capabilities Microsoft 365 and Microsoft Purview has to offer them in mitigating risk and being ever more compliant.
Published On: February 15th, 2024 Categories: Knowledge & Information Management

Subscribe for updates

Follow Us: