Using Office 365 to classify and secure your data

Using Office 365 to classify and secure your data

For years ensuring that the right metadata is attached to your data has been essential to helping you organise and manage content. Lately, with Office 365, being able to have a consistent set of labels across multiple services – Exchange and SharePoint in particular- is becoming a requirement.

This is because different data often has different requirements. Personal data may need to be identified within your tenant and not only marked accordingly, but removed when it is no longer deemed necessary. On the other hand, some organisations have a variety of data that must be kept for much longer – ranging from perhaps 5 years to over 100. This data may exist in multiple places – within mailboxes, SharePoint Team sites, Office 365 Groups and OneDrive for Business. A blanket data retention policy is now not always appropriate.

Enter Office 365 Labels

Office 365 labels allow you to define a consistent set of labels within the Security and Compliance Center in Office 365. These translate to retention tags in Exchange and can be assigned to document libraries and files in SharePoint Online and OneDrive for Business.

You can use labels to classify data as you see fit. This might be personal data, financial records or tax data, confidential data or anything you need to mark within your files and emails so that it can be found, kept, deleted or processed as required.

With a basic set of labels defined within Office 365, you can publish the labels to your employees so they can, should they need to, mark data they are working on with labels. That might be an email they have received, or it could be a file they are working on.

The content that is labelled can then follow policies you define at an administrative level. This could be to hold that data for a number of years, delete it after a certain amount of time or some combination of the two.

Office 365 Label Settings

Office 365 Label Settings

For example, you might choose to ensure that all data labelled as a tax record is held for up to 6 years and then can be deleted when needed. Or you may choose that personal data is not put under any sort of hold, but is deleted six years after the date it was created.

Making it easy to label data

Expecting employees to label both their existing data – which could have been accumulated over a number of years – is quite a challenge; and even expecting employees to manually label every new file can be a challenge.

A number of options exist to make it easy for users to label data. Document Library and Email Folder based labelling can simplify organising data as a whole, and keeping it in the correct locations. Automatic policies can be created to label data by default if it’s been added to a particular SharePoint Document library.

Automatic labelling

The nirvana, of course, is not needing to ask people to label data in the first place. However hard people try, incorrect labels will be assigned, people will forget to label data or they will not store data in the correct locations.

Auto label policies allow you to use the label definitions to automatically find and apply labels to content that matches the conditions you define. There are two main options for automatic labelling of data:

    • Keyword-based search for data. This works across Exchange, SharePoint Online, OneDrive for Business and data within Office 365 Groups.
    • Sensitive information types. This works across SharePoint Online and OneDrive for Business, at present.

The most compelling option for automatic labelling is using sensitive information types. Sensitive information types are defined in Office 365 and originally were used to support Data Loss Prevention policies. They are definitions of the criteria that is used to match sensitive information so that a NI number, passport number, credit card number or similar types of information can be automatically identified. There are built-in sensitive information types to match a large number of global types, and if needed you can define and upload your own types.

Office 365 Label templates

Office 365 Label templates

You can then create policies that include the specific sensitive information you are looking for. The policy can be targeted to all SharePoint Online sites and OneDrive for Business accounts, or just a subset if required.

If you prefer to use keyword-based searches, this is possible too, and currently, the only option if you need to target Exchange and Office 365 Groups. You can specify searches with conditions like AND/OR to find and target particular data. A great example of where to use this is when looking for specific keywords that your organisation uses that should not be shared externally, or wider terms like “private” or “confidential”.

Automatically apply Office 365 Labels to specific content

Automatically apply Office 365 Labels to specific content

After defining these policies, they will, over the course the next seven days apply to the data within your tenant. As the policies will add labels to your data which may result in data being held, marked as a record or even deleted, it’s important to make sure these policies are correct. Test first and make sure that you have reviewed the criteria for matching sensitive data, too, so you get the expected results.

Summary

Office 365 labels make it easier to have one source of the truth for what should be applied to content and data within your Office 365 tenant, instead of creating policies in different places. Not only can these be published to users to apply themselves, auto label policies can automatically find and apply labels to data within your tenant, making it much easier to have control over data.

Related Content