Jan 27 2020 07:00 AM - edited Jan 27 2020 07:52 AM
Just been through the Microsoft guidance on securing files in Teams; https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-files-in-teams
For highly Confidential files, the approach is to restrict the underlying SharePoint external sharing permissions, and leverage a Retention Label (which is automatically applied to all files uploaded to the Team site) as a DLP condition. This is fine, but once I have this all set up I'm left with one question that I hope someone can answer; A user can simply go to the underlying SharePoint site, change the retention label on a document, thereby completely bypassing the associated DLP policy.
How can I make it so users cannot change the automatically applied site level retention label. Either I've missed something or that Microsoft guidance has a huge hole in it?
Thanks in advance.
Jan 27 2020 09:40 PM
@Tony Redmond any idea's here? I still haven't messed around with label's much, but figured you might know off the top of your head.
Jan 27 2020 10:05 PM
@Chris Webb are you an MS365 tenant with mobility+security or E3/365 Premium? Options could be restricted because of your subscription.
Jan 28 2020 02:07 AM
Solution@Ben_Stravinsky For highly sensitive files, the guidance is to apply an Office 365 sensitivity label to the files stored in SharePoint Online. This will ensure that only the people assigned rights to the files can access the content. Sensitivity labels are very different to retention labels. https://www.petri.com/using-office-365-sensitivity-labels.
Users can't change the sensitivity label on a file. Only the author or those with co-author permissions can do so.
Aug 26 2020 03:49 PM
@Tony Redmond the problem with sensitivity labels is that you have to apply to each file unlike a retention label which you could apply to a folder or SharePoint Site. This is a large overhead for users to remember
If you have the Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5, Office 365 Advanced Compliance, Enterprise Mobility + Security E5, and AIP Plan 2 then you can benefit from automatic sensitivity labeling. However from a business perspective defining these business rules is not always easy,
Aug 26 2020 04:20 PM
@Deleted There's no doubt that an overhead is incurred to assign sensitivity labels one file at a time. However, not every document needs to be labelled unless you want to make this compulsory. Users can be coached to apply labels as they create documents but gaps will exist and you'll still have many documents at rest that won't be labelled. That's why auto-label policies help, even if it incurs E5 licenses. Trainable classifiers are a great help in locating important business documents that can't be easily identified with sensitive data types. This is a complex area that is developing quickly and we will see increased automation and precision as time develops. But it will take time.
Jan 28 2020 02:07 AM
Solution@Ben_Stravinsky For highly sensitive files, the guidance is to apply an Office 365 sensitivity label to the files stored in SharePoint Online. This will ensure that only the people assigned rights to the files can access the content. Sensitivity labels are very different to retention labels. https://www.petri.com/using-office-365-sensitivity-labels.
Users can't change the sensitivity label on a file. Only the author or those with co-author permissions can do so.