Implementing a secure by default approach with Microsoft Purview and address oversharing
Published Sep 26 2024 06:58 PM 3,572 Views

Microsoft Purview provides several solutions and features that complement each other.  For new-to-Purview administrators, it can be overwhelming to know where to start.  Existing administrators may also be less familiar with how additional Purview features could enhance their data security posture. 

 

For example, Data Loss Prevention (DLP) administrators can benefit from features in Microsoft Information Protection (MIP) and Insider Risk Management (IRM) but may never explore them as they can be seen as ‘another solution’.

 

To address this and accelerate how you can augment your data security posture, the Purview engineering team is releasing a new content series available on Microsoft Learn: “Notes from engineering”

 

As the series evolves, it will include different types of content:

  • Purview deployment models – Scenario-based (‘why’) prescriptive recommendations based on successful customer deployment experiences.  These include:
    • Deployment blueprint single-slide visual of activities (‘what’)
    • Storyboard presentation helping narrate the scenario and blueprint activities
    • Detailed guide with clear, actionable, and prescriptive guidance (‘how’)
  • Feature playbooks – Detailed guidance on how to leverage best some of our newer features
  • Articles – Additional documentation such as our Ninja Training recommendations and FAQ, all in one place

Let’s introduce the first published Purview deployment model: Secure by default with Microsoft Purview and address oversharing.

 

 

Secure by default with Microsoft Purview and address oversharing

Microsoft Purview sensitivity labeling provides an efficient and robust capability to protect data. This protection is centered around encrypting your data and preventing oversharing. Labels can then be used as conditions in other solutions such as Microsoft Purview Data Loss Prevention (DLP) and Microsoft Purview Insider Risk Management.

 

The traditional 'crawl-walk-run' approach is often challenging or slow to adopt due to:

  • Defining the label taxonomy
  • Concerns about encryption affecting end users and line of business applications
  • Limited adoption through manual labeling and/or only using auto-labeling to label

 

In the detailed guide, we provide a deployment model focusing on a different approach. We show how to:

  • Configure secure by default sensitivity labeling.
  • Use label publishing defaults and auto-labeling in the Office client.
  • Use contextual defaults in SharePoint sites to rapidly achieve deployment velocity.

 

Traditionally, we train users on when to label and/or attempt to auto-label what is required to be protected.  With this approach, default apply protection, and we train users on how to manage exceptions, such as sharing externally.

 

When you derive Teams and SharePoint site labeling to file labels, you can reach high labeling volumes with limited end-user interactions. This will also achieve a measured approach that helps overcome traditional challenges.

 

To achieve this, the detailed guide provides a list of recommended labels that fit most organizations and maximize the potential of Microsoft Information Protection (MIP), and the list of activities to achieve this with the following blueprint:

 

MaximeBombardier_0-1726846725337.png

 

At a high level, this guidance will:

  • Quickly set up the foundational features to protect any new and updated content in Microsoft 365
  • Fast follow with protecting your priority content
  • Iterate to protect historical data at rest
  • Expand protection beyond Microsoft 365

 

This guidance can also be used to secure your environment for internal oversharing, accelerating how organizations are comfortable with enterprise search and Microsoft 365 Copilot.  Copilot responses will also inherit from the highest priority sensitivity label.

 

To learn more:

Co-Authors
Version history
Last update:
‎Sep 26 2024 11:58 AM
Updated by: