microsoft , Modern Workplace , Security , | 2020/06/25 at 1:04pm

Retention & Data Loss Prevention: Beware of what’s not covered in your Microsoft 365 environment

Compliance in the workplace can be a bit of a minefield. There are many elements, people and considerations to take into account. When exploring Modern Workplace compliance capabilities, it helps to split them out and look at them individually, rather than as one big clump of confusion.

Looking at retention in Microsoft 365

In the Microsoft 365 universe, built in retention policies enable organisations to apply labels to content that determine whether it is retained for a specific period of time regardless of deletion by an end user, or to ensure it is permanently deleted.

One component of the functionality included is eDiscovery, the intuitive process of identifying information stored within your files.

“Searching for files and emails manually is not practical. There are too many places to look. eDiscovery has been significant for this, as it allows you to search across the entire organisation, under set parameters,” says Loryan Strant, Product Manager at Insync Technology.

Examples of eDiscovery include searching for legacy data and identifying communication and documents required for HR or legal purposes. However, whilst the functionality is greatly improved there are some general misunderstandings.

“Inbuilt retention and eDiscovery tools in Microsoft 365 only apply to Exchange, SharePoint, OneDrive, Teams and, more recently, Yammer. Popular applications including Sway, Forms, Power BI and Planner are not covered by the compliance technology, yet this is not always understood.” notes Loryan.

The outcome is organisations that believe themselves to be compliant, are in fact not. To combat this, Loryan notes there are several steps organisations can take, specifically:

  1. Understand your compliance in more detail
  2. Focus on mitigating issues
  3. Set policies that prevent staff entering data into unmonitored platforms
  4. Limit permissions to applications based on usage needs
  5. Support your policies with training
  6. Be clear which tools are risky and where staff must take individual responsibility

Data Loss Prevention (DLP), what’s included?

Where retention focuses on preserving or disposing of data, DLP concentrates on the transmission and storage of what is inside the content or data. For example, DLP can autodetect when Personally Identifiable Information (PII) – such as credit card or Medicare numbers have been stored or sent in contravention of the organisational policy.

Microsoft 365’s DLP can detect patterns, search for keywords and, based on policies, select different actions. You can choose for particular content to trigger a tip or alert.

“Using DLP well can result in automating certain policies. You can flag that PII should not be saved in files, or that information needs to be included in an audit. You can use DLP to auto-forward copies of documents to managers and key staff for approval before release, or just visibility,” says Loryan.

In fact, you can go as far as to simply block content. If a staff member pastes a credit card number into a Teams channel with external guests, DLP would remove the message and replace it with the reason why it was blocked. It is intelligent and effective technology. But, as with retention, DLP is not available to the full Microsoft 365 suite.

The limitations of DLP include the assumption that information will go into an email, conversation, or a file, when it could be input in Forms, Planner, Sway, and several other services within the platform. DLP needs to be configured correctly in order to stop data leaking out of the organisation. But it is a fine balance as it is easy to overload warnings and policy violations which results in constant alerts, even for legitimate transmissions.

“To head towards being compliant, you need to turn on DLP, observe it, tweak it and adjust it,” says Loryan.

Don’t skip the detail, configuration is key

To ensure that your organisation is as compliant as you think it is, you need to address your Microsoft 365 configuration. Loryan advises taking the following steps:

  • Don’t rush deployment
  • Align your Modern Workplace DLP and retention policies with your existing organisational policies, noting that traditional policies might need to be updated to reflect what the technology can offer by way of improved controls
  • Did you customise the settings when the platform was first deployed or did you settle for the default settings? Look at what is and isn’t working and what components of Microsoft 365 DLP doesn’t cover
  • Communicate clearly with staff about changes to process and policies
  • Regularly review the configuration to ensure it is still relevant to your organisation
  • Run retention and DLP drills internally on a regular basis to ensure you know what is missing

“When it comes to compliance, the biggest part is understanding that you need to change your approach from both an organisational and IT perspective. We used to rely on firewalls but with Microsoft 365 entirely outside the firewall, we need to shift how we think about it. But above all, you can’t rely on a platform doing all your thinking for you, you need to define clear policies, specific to your organisation,” concludes Loryan.

So, when was the last time you looked at your retention and DLP policies and configuration? Are you confident you are compliant? If you need assistance identifying cracks in your Microsoft 365 compliance, contact Insync today.