I have engaged with many clients on the subject of data protection. Generally this is an ask regarding a specific workload but it becomes clear quickly that it is really a more holistic need for a multi layered solution. The below is a list of resources I have complied that were the most useful to clients to answer general questions around data protection in M365.
Privacy
Microsoft has extensive documentation in the Service Trust Portal under Privacy. The Online Services Data Protection Addendum (DPA), Online Services Terms (OST) and HIPAA Business Associate Agreement (BAA) are all discussed in depth.
- Online Services Data Protection Addendum (DPA)
- Online Services Terms (OST)
- HIPAA Business Associate Agreement (BAA)
- Microsoft Office 365
- Dynamics CRM Online
- Windows Azure core services
Trust Documents – Data Protection
Contains information about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization. The portal includes whitepapers and guides to assist an organization in meeting regulatory compliance and design solutions in a way to protect their data. Some examples of these documents are below:
Of note is the ‘Data Classification and Security Label Taxonomy’, this document was published by the AIP Product Group to help a client organization form a design approach to designing a label taxonomy.
Microsoft cloud IT architecture resources – (infographics)
Microsoft Cloud Security Architecture (PDF Download)
The security of your Microsoft cloud services is a partnership between you and Microsoft. What IT architects need to know about security and trust in Microsoft cloud services and platforms.
Office 365 Information Protection for GDPR (PDF Download)
This solution demonstrates how to protect sensitive data that is stored in Office 365 services. It includes prescriptive recommendations for discovering, classifying, protecting, and monitoring personal data. This solution uses General Data Protection Regulation (GDPR) as an example, but you can apply the same process to achieve compliance with many other regulations.
File Protection Solutions in Office 365 (PDF Download) <- my personal favorite as the most useful
O365 provides a range of capabilities to protect your data. This document describes capabilities for protecting files so you can choose the best options to protect your organization s data
Cybersecurity Reference Architecture (MCRA)
The Microsoft Cybersecurity Reference Architecture describes Microsoft’s cybersecurity capabilities and how they integrate with existing security architectures and capabilities.
Configure Teams with three tiers of protection
This article provides recommendations for configuring SharePoint Online team sites and file protection that balances security with ease of collaboration. This article defines four different configurations, starting with a public site within your organization with the most open sharing policies. Each additional configuration represents a meaningful step up in protection, but the ability to access and collaborate on resources is reduced to the relevant set of users. Use these recommendations as a starting point and adjust the configurations to meet the needs of your organization.
The configurations in this article align with Microsoft's recommendations for three tiers of protection for data, identities, and devices:
- Baseline protection
- Sensitive protection
- Highly confidential protection
Policy recommendations for securing SharePoint sites and files
This article describes how to implement the recommended identity and device-access policies to protect SharePoint Online and OneDrive for Business. This guidance builds on the Common identity and device access policies.
SharePoint Online External Sharing overview
The external sharing features of Microsoft SharePoint let users in your organization share content with people outside the organization (such as partners, vendors, clients, or customers). You can also use external sharing to share between licensed users on multiple Microsoft 365 subscriptions if your organization has more than one subscription. Planning for external sharing should be included as part of your overall permissions planning for SharePoint in Microsoft 365. This article describes what happens when users share, depending on what they're sharing and with whom.
Azure Information Protection Deployment Acceleration Guide
The Information Protection Customer Experience Engineering Team has developed this guide to assist customers with the acceleration of AIP from a business perspective. While there is a fair amount of reference to technical details in this document, it is not intended to be an end-to-end project plan for full deployment. Rather, it is a guide to help business decision makers and IT implementers understand the best ways to deploy Azure Information Protection and to avoid mistakes that could cause delays in rollout.
Azure Information Protection End User Adoption Guide (PDF Download)
Deploying a Classification and Labeling solution is often as much a PR effort as it is a technical effort. This guide is designed to help create an adoption success plan which includes consideration of the end-to-end information protection process to create organization preparation for deployment including developing a communication and awareness plan for end users to identifying power users who can help end users in adopting best practices for information protection. Document includes sample FAQ’s, client notification emails and a suggest T minus plan for communication.
Azure Information Protection documentation
Control and help secure email, documents, and sensitive data inside and outside your company walls. From easy classification to embedded labels and permissions, enhance data protection at all times with Azure Information Protection, no matter where it's stored or who it's shared with.
Protecting files in the cloud with Azure Information Protection – IT Showcase Microsoft Case Study
Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization policies in Azure Rights Management to help secure files and email in the cloud. It enables protected sharing in Office 365 on a variety of platforms including Windows, Mac OS, iOS, and Android.
3 strategies for building an information protection program – MS Case Study
Data protection and tools and Microsoft best practices from internal roll out
Microsoft Teams, as part of the Microsoft 365 and Office 365 services, follows all the security best practices and procedures such as service-level security through defense-in-depth, customer controls within the service, security hardening and operational best practices
Additional Resources:
2020 Ignite Information Protection Related Sessions:
- Be a risk management hero with intelligent data protection and compliance solutions
- Know your data, protect your data and prevent data loss with Microsoft Information Protection
- Ask the Expert: Ask anything about Microsoft Compliance: information protection & governance, inside...
- Ask the Expert: Supercharge information protection and governance across cloud, on-premise, endpoint...
80+ Sessions on Information Protection, top 5 recommended:
- BRK2119 - Secure your sensitive data! Understanding the latest Microsoft Information Protection capa...
- THR3067 - Know your data: Top five tips and tricks to better understand your sensitive data landscap...
- BRK3103 - Protecting sensitive files and data can be hard. Choose the right data protection options ...
- BRK2120 - Got Azure Information Protection? Navigating unified labeling, policy configuration, clien...
- BRK2121 - Extend the power of sensitivity labeling and protection to your own apps and ISV solutions...
2017 Ignite
- Accelerate Azure information protection deployment and adoption
- Watch up until the Quick CISO starts unless you are interested in his deployment experience.
Microsoft Information Protection and Compliance Webinar Page
Here you will find details of our upcoming webinars as well as resources (recorded sessions and uploaded decks) for past webinars. This page is updated often.
Additional Information II:
This is extra info that is not necessarily critical path but it is a good sampling of available info that might be of interest. They include Insider Risk and also discussion about the AIP superuser role which you would use to allow a 3rd party email gateway (as an example) to open and inspect AIP protected data.
- Simplifying the AIP Super User Role with Azure PIM
- eDiscovery for Teams Webinar
- MIP and Compliance V-blog part 1 - Setting up a secure collaboration environment
- MIP and Compliance V-blog #2: Setting up a secure collaboration environment - End user point of view
- MIP and Compliance V-blog#3: Setting up a secure collaboration environment – Security Admin POV
- MIP Previews Available
Advanced MIP features: