Microsoft Information Protection is a technology which has been around for a while in Microsoft 365 which aims to help organisations define, detect, and protect their sensitive data. Once data is marked as sensitive you can use various other Microsoft services like Azure Information Protection to act on the data in a variety of ways, such as double encryption, restricting how the data can be shared, and limiting which external users can access the data once it leaves your environment.
Over January Microsoft are giving everything Information Protection some fine-tuning, starting with how data is classified. Currently data is given a sensitivity rating which is a confidence level as to how closely it may match a sensitive information type. This is fine but leaves a lot of room for interpretation which can result in a high volume of false-positives or false-negatives. This is now being reworked to simply show high / medium / low confidence instead. When data matches these levels, you’ll see the specific string of data that was detected, as well as surrounding contextual data. Your existing policies that currently uses this will automatically be updated to use the new confidence level ratings, including:
- Auto-labelling policies
- Communication compliance
- Data Loss Prevention policies
- Retention labels
- Sensitivity labels
On to sensitive information types. Microsoft already include a bunch of default information types that you can build policies around such as credit card numbers. The list is already quite extensive, and this is being expanded to include over 40 new information types, most notably tweaks and improvements to EU-centric information types.
In addition to the new defaults, extra support is being added for both tweaking these and creating your own. Soon you will be able to copy an existing sensitive data type and tweak it to be more applicable to your organisation. Additionally, better support to create your own sensitive data types is on the way, including expression validators and more precise targeting of data strings by defining prefixes and suffixes.
Most of these changes are due to be made available over January and February and will be accessible through the Security and Compliance portals.
Bonus – Secure Score Updates
Secure Score has recently received more security recommendations covering various areas of Microsoft 365.
- New recommendations have been added for Defender for Endpoint, including
- Disabling local admin & guest accounts on devices
- More password controls, including setting minimum/maximum password age, length, and password history
- Microsoft Teams is getting its own security recommendations. Currently the only recommendation is restricting anonymous users joining meetings, but we expect more recommendations are coming...