Before we start, please note that if you want to see a table of contents for all the sections of this blog, you can locate them at the following URL:
Microsoft Purview and Modern Work (Part 1) - Overview
Disclaimer
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
Target Audience
The Information Life Cycle Management section of this blog series is aimed at Security and Compliance and Modern Work officers who need to properly label data, encrypt it where needed.
Document Scope
This blog and document are meant to help an IT administrator who is looking to secure their data throughout the lifecycle of the data.
It is presumed that you already have a basic understanding of the Purview tools and the Modern Work tools (including Exchange, Teams, SharePoint and OneDrive).
Out-of-Scope
This document does not cover configuring any of the below, ie. Holding your hand through the process of configuration”, as that is covered via other blogs, official Microsoft documents, or through the aid of Microsoft implementation teams or Microsoft partners:
- Audit
- Communications Compliance
- Compliance Manager
- Data Classification (Sensitive Information Types)
- Data Classification (Exact Data Matching)
- Data Classification (Trainable Classifiers)
- Data Lifecycle Management (retention and disposal)
- Data Protection Loss (DLP) for Exchange, OneDrive, Devices, etc
- Information Barriers
- Information Protection (labeling, encrypting, watermarking, etc of files)
- Insider Risk Management
- Microsoft Defender for Cloud Apps (MDCA)
- Privacy Management (Priva)
- Records Management (retention and disposal)
- Standard or Premium eDiscovery
Notes
After each section of this blog, I will make a note of which of the 3 parts of the CIA Triad that Microsoft tool will help you meet. Here are a few examples.
Example #1 –
CIA component – Integrity & Availability
Example #2 –
CIA component – Confidentiality & Availability
Example #3 –
CIA component – Integrity
Exchange Email
For this part of the blog, I have broken down the Purview workloads, mapped them to the Exchange messaging activity, and then mapped those to the corresponding stage of the Information Lifecycle.
Here is the high-level view of this mapping.
Please note I’ve added a new stage to the Information Lifecycle and called it Pre-data creation. This was done to help show that Microsoft Auditing is always enabled within your Microsoft tenant.
After each Purview workload, you will find a CIA triad “indicator” to show which part of the triad Purview is supported. In addition, you will also find assorted links to assorted Microsoft documents or blog postings that can help you enable that functionality in your environment, presuming you are appropriately licensed.
Pre-data Creation
- Premium Audit (email/file) – It is recommended that this be enable before all functionality to watch all data activity in your environment.
Microsoft Purview Audit (Premium) - Microsoft Purview (compliance) | Microsoft Learn
CIA component – Confidentiality & Integrity
Create (data)
- Premium Audit (email/file) – This watches the creation, user, searching, labeling (sensitivity and Retention labels), etc. of all data in your tenant.
Microsoft Purview Audit (Premium) - Microsoft Purview (compliance) | Microsoft Learn
CIA component – Confidentiality & Integrity
- Information Protection (Sensitivity Label) (email/file/site) – This tool applies encryption, watermarking, access, editing, etc. based on a user’s credentials either in your tenant or associated with your tenant. There are two ways that this tool can apply labels:
- Automatic Sensitivity labeling – This is done by the tool reasoning over data that exists or being created and applies a sensitivity label based on what it finds.
- Manual Sensitivity labeling – This is done by the user who applies a sensitivity label based what they see or have placed in that file/email.
Learn about sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn
Microsoft Purview- Paint By Numbers Series (Part 2)- Information Protection - Microsoft Community Hu...
CIA component – Confidentiality & Integrity
- Data Lifecycle Management / Records Management (Retention Label) (email/file) – This tool applies retention based on what is inside of an email/file. There are two ways that this tool can apply labels:
- Automatic Retention labeling - This is done by the tool reasoning over data that exists or being created and applies a retention label based on what it finds.
- Manual Retention labeling – This is done by the user who applies a retention label based what they see or have placed in that file/email.
Learn about Microsoft Purview Data Lifecycle Management - Microsoft Purview (compliance) | Microsoft...
Records management for documents and emails in Microsoft 365 - Microsoft Purview (compliance) | Micr...
Microsoft Purview - Paint By Numbers Series (Part 4) - Records Management - Microsoft Community Hub
CIA component – Integrity
Use & Retain (data)
- Premium Audit (email/file) – This is always logging interactions with files/emails.
Microsoft Purview Audit (Premium) - Microsoft Purview (compliance) | Microsoft Learn
CIA component – Confidentiality & Integrity
- Communications Compliance (email/teams) – This watches over email and Teams communications for terms and verbiage that should not be used or shared
- Examples include. inappropriate words, bullying, PHI, or PII.
Learn about communication compliance - Microsoft Purview (compliance) | Microsoft Learn
CIA component – Confidentiality
- Information Barriers (email/teams) – This blocks emails or teams’ conversations between users/groups that should not be communicating.
- Examples would include researchers and financial analysts, or Subsidiary A in the USA and Subsidiary B in Europe.
Learn about information barriers - Microsoft Purview (compliance) | Microsoft Learn
Microsoft Purview - Paint By Numbers Series (Part 8a) - Information Barriers and Team Chat - Microso...
CIA component – Confidentiality
- Data Loss Prevention (email/file) – This blocks sending emails/chats/data/files to the wrong individuals or organizations.
- Example - your organization and your organization’s primary competitor.
Learn about data loss prevention - Microsoft Purview (compliance) | Microsoft Learn
Microsoft Purview - Paint By Numbers Series (Part 3) - Data Loss Protection for Exchange - Microsoft...
CIA component – Confidentiality &Integrity
- Information Protection (Sensitivity Labels) – This allows for manual/automatic sensitivity labeling of existing data OR changing sensitivity label of an existing label.
- An example of this would be encrypting files so only your Business partners can read the files using a user profile associated with your Azure Active Directory. All other credentials, personal, competitor, etc. would be blocked from accessing the data.
Learn about sensitivity labels - Microsoft Purview (compliance) | Microsoft Learn
Microsoft Purview- Paint By Numbers Series (Part 2)- Information Protection - Microsoft Community Hu...
CIA component – Confidentiality & Integrity
- Data Lifecycle Management / Records Management (Retention label) (file/email) – These tools provide for either manual or automatic retention labeling of existing unlabeled data OR change the retention label of existing labels.
- Examples include applying a 7 year retention to PHI for HIPAA regulations, or changing a 7 year retention label to a 3 year retention when data within a file has been changed.
Learn about Microsoft Purview Data Lifecycle Management - Microsoft Purview (compliance) | Microsoft...
Records management for documents and emails in Microsoft 365 - Microsoft Purview (compliance) | Micr...
Microsoft Purview - Paint By Numbers Series (Part 4) - Records Management - Microsoft Community Hub
CIA component – Integrity
- Insider Risk Management (email/file) – This tool tracks data movement, deletion, changes in labels, exfiltration, etc and maps it to user behavior. If needed, this tool can hand collected information (emails, files, users name, etc) to eDiscovery as a case.
- An example of this would be a user tendering their resignation, and you see a sudden spike in their downloading corporate data to a USB stick.
Learn about insider risk management - Microsoft Purview (compliance) | Microsoft Learn
Microsoft Purview - Paint By Numbers Series (Part 6) – Insider Risk Management - Overview - Microsof...
CIA component – Confidentiality
- eDiscovery (email/file) – With this tool you can search, collect, sift, hold, review, and export data for legal/compliance/HR/forensics investigations.
Microsoft Purview eDiscovery solutions - Microsoft Purview (compliance) | Microsoft Learn
Microsoft Purview - Paint By Numbers Series (Part 5) - Advanced eDiscovery - Microsoft Community Hub
CIA component – Integrity
Destroy (data)
- Premium Audit (email/file) – This watches the deletion of emails/files.
Microsoft Purview Audit (Premium) - Microsoft Purview (compliance) | Microsoft Learn
CIA component – Confidentiality & Integrity
- Insider Risk Management (email/file) – This tool tracks data movement, deletion, changes in labels, exfiltration, etc. and maps it to user behavior. If needed, this tool can hand collected information (emails, files, users name, etc) to eDiscovery as a case.
Learn about insider risk management - Microsoft Purview (compliance) | Microsoft Learn
CIA component – Confidentiality
- Data Lifecycle Management / Records Management (Retention label) (file/email) – These tools provide for either manual or automatic retention labeling of existing unlabeled data OR change the retention label of existing labels.
Learn about Microsoft Purview Data Lifecycle Management - Microsoft Purview (compliance) | Microsoft...
Records management for documents and emails in Microsoft 365 - Microsoft Purview (compliance) | Micr...
Microsoft Purview - Paint By Numbers Series (Part 4) - Records Management - Microsoft Community Hub
CIA component – Integrity
Next Steps
We will now move to look at Teams and specific Purview workloads that can be mapped to communication data within that platform.
Appendix and Links