SOLVED

Securing Files in Teams

Copper Contributor

Just been through the Microsoft guidance on securing files in Teams; https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-files-in-teams

 

For highly Confidential files, the approach is to restrict the underlying SharePoint external sharing permissions, and leverage a Retention Label (which is automatically applied to all files uploaded to the Team site) as a DLP condition. This is fine, but once I have this all set up I'm left with one question that I hope someone can answer; A user can simply go to the underlying SharePoint site, change the retention label on a document, thereby completely bypassing the associated DLP policy.

 

How can I make it so users cannot change the automatically applied site level retention label. Either I've missed something or that Microsoft guidance has a huge hole in it?

 

Thanks in advance.

5 Replies

@Tony Redmond any idea's here? I still haven't messed around with label's much, but figured you might know off the top of your head. 

@Chris Webb are you an MS365 tenant with mobility+security or E3/365 Premium?   Options could be restricted because of your subscription.

best response confirmed by VI_Migration (Silver Contributor)
Solution

@Ben_Stravinsky For highly sensitive files, the guidance is to apply an Office 365 sensitivity label to the files stored in SharePoint Online. This will ensure that only the people assigned rights to the files can access the content. Sensitivity labels are very different to retention labels. https://www.petri.com/using-office-365-sensitivity-labels.

 

Users can't change the sensitivity label on a file. Only the author or those with co-author permissions can do so.

@Tony Redmond the problem with sensitivity labels is that you have to apply to each file unlike a retention label which you could apply to a folder or SharePoint Site. This is a large overhead for users to remember

 

If you have the Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2 then you can benefit from automatic sensitivity labeling. However from a business perspective defining these business rules is not always easy,

 

@Deleted There's no doubt that an overhead is incurred to assign sensitivity labels one file at a time. However, not every document needs to be labelled unless you want to make this compulsory. Users can be coached to apply labels as they create documents but gaps will exist and you'll still have many documents at rest that won't be labelled. That's why auto-label policies help, even if it incurs E5 licenses. Trainable classifiers are a great help in locating important business documents that can't be easily identified with sensitive data types. This is a complex area that is developing quickly and we will see increased automation and precision as time develops. But it will take time.

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

@Ben_Stravinsky For highly sensitive files, the guidance is to apply an Office 365 sensitivity label to the files stored in SharePoint Online. This will ensure that only the people assigned rights to the files can access the content. Sensitivity labels are very different to retention labels. https://www.petri.com/using-office-365-sensitivity-labels.

 

Users can't change the sensitivity label on a file. Only the author or those with co-author permissions can do so.

View solution in original post