Blog Post

Security, Compliance, and Identity Blog
8 MIN READ

Insightful and intelligent classification and protection are key to data security

Anna_Chiang's avatar
Anna_Chiang
Icon for Microsoft rankMicrosoft
Nov 15, 2023

80% of those recently surveyed agree that comprehensive data security with integrated solutions is superior to using multiple best-of-breed solutions that have to be manually integrated and managed. The reason is that having more tools does not mean greater data security or efficiency – it’s the opposite. It may create a false sense of security, gaps in visibility and coverage, and increased complexity, time, and resources to manage siloed disparate solutions.1

 

With Microsoft Purview Information Protection, we provide an integrated solution that is built-in, intelligent, unified, and extensible.  It identifies and protects sensitive data across your digital estate, which includes Microsoft clouds such as Microsoft 365 and Azure, as well as on-premises, hybrid and third-party clouds, and SaaS applications.

 

Today we are excited to announce several new Information Protection product capabilities that are generally available in the following categories:

  • Advanced classification and labeling
  • Enhanced PDF support
  • Secure collaboration
  • Microsoft Fabric support
  • New built-in parity features
  • Multicloud Enterprise Data Estate support (gated public preview)

 

Intelligent advanced classification and labeling capabilities at enterprise scale

Organizations are faced with the challenge of discovering and protecting sensitive data across their digital estate in order to prevent unauthorized access and sharing of corporate intellectual property and PII. This is especially true for large enterprises with hundreds of thousands of employees and millions of files. Advanced classification technology (e.g., named entities, exact data match, OCR, and pre-built Sensitive Information Types including credentials and fingerprint SITs) can be leveraged to quickly discover specific types of sensitive data based on the content found within files or business applications.

 

But, for those working on highly sensitive tented projects or long-term strategic plans, they need another method that can quickly classify and protect files based on files names with certain phrases (e.g., “Project X”) or which key executive on the team created the document. We are excited to announce a new advanced classification capability based on the context of files and data. This will enable system admins to more quickly and intelligently classify groups of files and data based on their characteristics/properties, which wasn’t previously possible.

 

  • New Contextual predicates in service-side auto-labeling. Context-based classification is not based on the content found in files and data, but instead on information about the file, such as file extension, size, who created the document (OneDrive and SharePoint locations only), document property, or if the file name contains certain words or phrases. It is used to quickly and automatically classify and label files in these groups or categories, and for directly mapping a document’s properties to specific sensitivity labels (e.g., for migrating large numbers of files labeled with a different classification solution). 

 

In addition, to make it even easier to classify large groups of highly sensitive confidential information, we now offer a new site labeling capability that can protect large numbers of sensitive files, without requiring admins to define classification policies at all, which saves much time and resources.

  • Default site labels for SharePoint document libraries enable admins to designate all files contained within a document library with a specific sensitivity label (e.g., Confidential-FTE with encryption). Site default labels allow you to protect all documents because the library itself is sensitive – without needing to define specific classification policies. This helps to protect highly confidential content (e.g., M&A or new product development projects) more broadly and comprehensively.  More information can be found here.

 

Figure 1. All files in this Financial Planning document library in SharePoint are automatically labeled Confidential.

We continue to make advancements in our trainable classifiers offering to improve accuracy and discovery of categories of sensitive content as well as specific forms and files. For example, admins need to quickly determine whether a trainable classifier is effective, so they can make necessary changes as needed (e.g., replace with a different classifier). Customers also want to quickly detect business context in documents to keep confidential data from being leaked to unauthorized individuals. We are pleased to announce that keyword highlighting of the top words/phrases in files that cause a match to a trainable classifier is now available along with a new pre-trained ready-to-use trainable classifier that quickly detects business context in files.  

 

Contextual support for trainable classifiers improves visibility into effectiveness as well as discoverability

  • Keyword highlighting for trainable classifiers enables admins to view in the Contextual Summary tab of Content explorer or by uploading a document and using the Test classifier feature to see the top 10 keywords/phrases that caused a trainable classifier match. For more information read this blog and see this link on how to increase classifier accuracy.
  • A new ready-to-use trainable classifier that detects business context can discover and classify documents that contain sensitive business data (e.g., quarterly financial earnings). This new classifier provides more accurate detection of business-related content without generating a lot of false positive matches. This enables enhanced data security, a better more focused experience and boosted productivity for system admins and their teams. More information can be found here.

 

Better protect your most important PDF files

PDFs are heavily used for contracts, statements of work, legal documents, health records, manuals, and other types of documentation, making them indispensable in today’s modern workplace. Customers have been asking for this, and we know that PDF is the most common file type seen in SharePoint and OneDrive. Customers need equivalent labeling and protection capabilities with PDFs that are available for other Microsoft 365 files across commonly used workloads. We are excited to share improvements in the PDF experience and the general availability of:

  • Auto labeling of files at rest in SharePoint can now automatically start labeling PDF files in addition to Word, Excel and PowerPoint. This enables organizations to quickly discover and protect large numbers of PDFs in SharePoint.
  • Protected PDFs support in SharePoint, OneDrive, and Teams enables users to view labeled and protected PDFs in SharePoint Online, One Drive and Teams, so they are able to easily open them from right inside SharePoint using the Edge browser. Search, eDiscovery, and DLP also work seamlessly on protected PDFs. Protection travels with the document, no matter where and how the document travels.

 

Securely collaborate on your most sensitive projects with user-defined permissions

Customers who are working on highly sensitive tented projects need to share and collaborate on documents with a small number of people on their team, but they also want to prevent oversharing of these sensitive files with unauthorized users. For these individuals selecting a label that is too general (e.g., Confidential – FTE only) doesn’t meet their needs. However, system admins have limited time/resources to create special more granular labels for specific teams to use. The solution is to enable document owners to create their own custom labels that limit the number of people who can read or edit documents to a small group of users they choose. For example, the press release review of the quarterly earnings of a public company could be circulated only among a small set of individuals who need to review and/or make edits, since they’re the only ones able to access the document at all.

 

  • Secure collaboration on labeled and encrypted documents with user-defined permissions. With user-defined permissions, document owners no longer need admins to create special labels for their highly confidential documents. Instead, they can specify the permissions themselves by applying UDP labels on files. UDP labeled files in SharePoint support co-authoring. This capability is very popular with C-Suite users, or those working on tented projects who need to limit access to highly confidential documents to a small set of explicitly authorized individuals that they select themselves.

 

Figure 2. GIF demonstrating a document owner configuring a UDP Coauth label and selecting email addresses of users that have read only or change permissions for co-authoring.

 

Microsoft Fabric Information Protection support enables end-to-end protection

Customers need end-to-end protection of sensitive data from the point it enters Fabric, as it moves around and gets re-used in other files within Fabric, and when that sensitive data leaves Fabric

  • Microsoft Fabric support for Information Protection sensitivity labels is now generally available. Sensitivity labels follow the data automatically as it flows from the lake house to Power BI reports, Microsoft 365 files, and other assets business users rely on every day. This comprehensive file label inheritance capability is described in more detail here.

 

Multicloud support extends protection across your digital estate

 Many organizations don’t just use a few SaaS apps, but many, not a single Cloud Service Provider but a few. And, they store their data (unstructured or structured), on-premises, in the cloud/multi-cloud, and in hybrid clouds across their digital estate. In order to better support the many and different ways that customers need to discover and label their most sensitive data wherever it lives and travels, we’re excited to announce the following new Information Protection capability:

  • Enterprise data estate: Extend sensitivity labels to assets in Azure (gated public preview). Use existing sensitivity labels or create new sensitivity labels via the Microsoft Purview portal to extend security and compliance intent to data assets in Microsoft Purview Data Map.
  • Labels can be applied to ADLS/Azure Blob, Azure SQL, and AWS S3.
  •  Supports label-based protection policies that will control access to information in Azure SQL, ADLS and AWS S3.

 

More built-in features in Microsoft 365 make it even easier to protect sensitive data

As we continue to assist customers migrating from Azure Information Protection to the superior built-in capabilities of Microsoft Purview Information Protection, we are pleased to announce the following releases are now generally available:

  • Configure policy tips as popups for labeled emails and attachments with built-in information protection for Outlook. Admins can now configure DLP rules that display warnings in popup dialogs before users send out emails. This makes it more difficult for users to inadvertently overshare or send emails to external users that aren’t authorized according to their organization’s policies. Admins can set up rules to provide warnings only, block actions entirely, require business justification or request explicit acknowledgements before sending emails. Sensitivity labels can be used as a condition to trigger these popups.

 

Figure 3. Policy tip popup message warning users not to send emails or attachments marked highly confidential to external recipients unless they can provide business justification.

 

  • Double Key Encryption (DKE) can be used to protect your most sensitive files and emails in Microsoft 365 Apps on Windows with built-in labeling in Office. With DKE, Microsoft stores one key in Microsoft Azure and you hold the other key, ensuring that only you can ever decrypt protected content, under all circumstances. Users can now use sensitivity labels configured with DKE by their admins in Office applications when they publish or consume content protected by DKE.
  • Tracking and Revocation. With this capability users access the Microsoft Purview compliance portal to check who has tried accessing their sensitivity labeled and encrypted local Office files and revoke access when needed. So, even if there was oversharing, document owners can see that this has happened and later revoke access to those unauthorized users.

 

How to Get Started 

Learn more about Information Protection here. Try Microsoft Purview Information Protection and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial.

 

Additional resources

 

Join the Data Security and Privacy Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Information Protection and other Purview solutions. An active NDA is required. Click here to join.

 

1Source: Microsoft Data Security Index report

Updated Nov 29, 2023
Version 2.0
No CommentsBe the first to comment