Every organization that we encounter eventually reaches a point where governance and compliance planning in the Microsoft Cloud becomes too large to wrap their arms around. This is not a point of weakness, it is a matter of sheer magnitude and complexity. There are, quite literally, thousands of configuration settings within Office 365 and Azure security products. In this blog, it is my hope to focus on how Retention, eDiscovery, and AIP work and need to be designed within O365 and Azure. These will be the Guardians of your Galaxy in the Microsoft Cloud *insert mixtape*.
For (Office 365 and Azure) security, governance, and compliance features - it should be mandatory to begin with proper requirements, and not begin with a technology. Thus, it will be imperative to extrapolate the business requirements from the conversations we have with business units, legal, HR, etc. I really believe we can build a set of business requirements, even if it is a bit challenging because we are coming at this backwards. We need to first understand what we are protecting, why we are protecting it, and what compliance requirements we must meet. If you can’t get the business requirements first, don’t sweat it – just take the requirements any way you can get them and work backwards to business requirements. Then, position them back to stakeholders as statements and let them tweak them. Remember, we define the risk, but we don’t accept the risk. It is up to the higher pay grades to assume the risk.
When discussing Office 365 backups and rewriting retention policies to match the new cloud ecosystem, most IT and legal teams find that having employees classify content is too big of a learning curve. So, let’s start with one of the foundational pieces of this strategy - labels. Now, when we talk labels, there are two different types of labels in the platform.
First, Office 365 Labels provide a way to tag documents within Office 365 for the purpose of retention, identification, search, and eDiscovery. This should not be confused with classification labeling within Azure Information Protection (AIP).
PRO TIP: These are on the roadmap to be merged into a single solution, making classification and retention much easier, and provide capabilities to enforce information protection across the entire platform. This has NOT happened yet though - unfortunately. For now, there is a labeling technology rooted in O365 and a labeling technology rooted in Azure.
Office 365 labels provide several features, but were originally envisioned for retention and deletion policies. Once created, users can select any labels to tag items within an Office 365 environment. To create a default - thus a mandatory label - each document library must be configured with a label. Users can select another label if they so choose, but only one default per library can be selected. Before you move forward with labeling, it's important to ask these questions:
- Does your organization need Retention Policies (force retention for x years and then dispose), Deletion Policies (If file is x yrs old, then delete), or both?
- When the file is disposed, does it enter a workflow? Is it immediately expunged? Does it go into the Recycle Bin? These are all answers we need to frame in business terms and get answers.
- Many organizations are setting the default label to a fairly restrictive label. Thus, users are forced to change the label if they want additional time, etc on the document. Comprende?
- Does your enterprise or subset have an eDiscovery requirement? This will play into the labeling design
Now take a breather and enjoy this brief distraction ... "Things are gonna get easier... things will get brighter"
Alright, let's tackle another component of O365. A difficulty right now right now is OneDrive for Business labels. There isn’t an automatic way yet to enable a default label for each OneDrive for Business. It is possible to code this into existence, but most have been doing it manually unless there are thousands of OneDrive for Business users. With the advent of the Modern UI, the ability to set default Labels on OneDrive document libraries has been obscured. This capability is still available and can be accomplished by returning to the OneDrive classic view. Each OneDrive for Business will have to have the default label manually set. This must be done every time a user is on-boarded until Microsoft completes the mechanism to centrally set and control OneDrive for Business labels. argh.
Second, Azure Information Protection (AIP) adds additional security to documents in addition to the container they are already secured within. AIP allows us to classify documents - such as General, Company Proprietary, Vendor Related, and Confidential - for the purpose of both adding technical security controls as well as modifying documents to ensure the visibility of the secure nature of the file. For example, a Confidential file could have controlled access and also contain a watermark, automatically, noting it’s file type. This helps to adhere to compliance regulations and keep the content within the need to know circle it was intended for. This file could also have a footer or header, in addition to or in place of the watermark. Cool stuff. I think this is the future of labeling, and retention may become a secondary feature, although an important one. AIP provides an additional layer of document protection beyond the standard platform security. One of the key features of AIP is it protects a document as it moves around the galaxy – regardless of location. It gives a document a “have security, will travel” capability without compromising security.
When designing AIP, it’s (again) all about labels, or tags, that are standardized and “approachable”. Users should be able to easily understand what the label represents and what the related security controls would be. While we can centrally manage much of AIP, this technology is power to the users. If we want widespread adoption, we need to pick really good label names, and that’s harder than you’d think. When possible, you should use common names, names that align with your organizations words/terms that users understand, and you should definitely align labels with your data security & compliance training. Whenever you bring in outside guidance or assistance, this is part of what you should do in a Security & Compliance project. The possible complexity is also why you want to build some of this before any type of migration so that you and your team can set defaults as you migrate data across. It is an art form when trying to go back and automagically label data - even for the best CSOM and PowerShell gurus.
This isn't by any means exhaustive on the subject of security and governance in the Microsoft Cloud; however, this should start you on the right thought process. One last note - if you are a federal contractor and, therefore, need to manage CUI/CDI data, you will need to read this resource! It'll help you better take what's discussed here and apply to your organization.