Describe information protection, data lifecycle management, and data governance capabilities of Microsoft Purview Flashcards
Microsoft Purview Information Protection & Data Lifecycle Management
Microsoft Purview Information Protection discovers, classifies, and protects sensitive and business-critical content throughout its lifecycle across your organization. It provides the tools to know your data, protect your data, and prevent data loss.
Microsoft Purview Data Lifecycle Management manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you don’t. It gives organizations the capabilities to govern their data, for compliance or regulatory requirements.
Information protection and data lifecycle management work together to classify, protect, and govern your data where it lives, and wherever it goes.
Know your data, protect your data, and govern your data
-Know your data: Organizations can understand their data landscape and identify important data across on-premises, cloud, and hybrid environments.
-Protect your data: Organizations can apply flexible protection actions including encryption, access restrictions, and visual markings.
-Prevent data loss: Organizations can detect risky behavior and prevent accidental oversharing of sensitive information.
-Govern your data: Organizations can automatically keep, delete, and store data and records in a compliant manner.
Data Classification - Capabilities
Admins can enable their organization to know its data through data classification capabilities and tools in the Microsoft Purview compliance portal, such as sensitive information types, trainable classifiers, content explorer, and activity explorer.
Microsoft Purview provides three ways of identifying items so that they can be classified:
manually by users, automated pattern recognition, like sensitive information types nad machine learning.
-Sensitive information types (SIT) are pattern-based classifiers. They have set patterns that can be used to identify them. (built-in or custom) (Information Protection)
-Trainable classifiers use artificial intelligence and machine learning to intelligently classify your data. They’re most useful classifying data unique to an organization like specific kinds of contracts, invoices, or customer records. (Pre-trained classifiers or Custom trainable classifiers)
–To get a custom trainable classifier to accurately identify an item as being in a particular category of content, it must first be presented with many samples of the type of content in the category.
The overview section of the data classification pane in compliance portal provides many details at a glance, including:
-The number of items classified as sensitive information and which classifications they are.
-Details on the locations of data based on sensitivity.
-Summary of actions that users are taking on sensitive content across the organization.
Benefits of Content Explorer and Activity Explorer
The content explorer is available as a tab in the data classification pane of compliance portal. It enables administrators to gain visibility into the content that has been summarized in the overview pane.
-Access to content explorer is highly restricted because it makes it possible to read the contents of scanned files. (Content explorer list viewer, Content explorer content viewer.)
-It enables administrators to further drill down into items by allowing them to access and review the scanned source content that’s stored in different kinds of locations
Activity explorer provides visibility into what content has been discovered and labeled, and where that content is. It makes it possible to monitor what’s being done with labeled content across the organization.
-Activity explorer helps you understand what’s being done with labeled content over time.
Sensitivity Labels and Sensitivity Label Policies
Sensitivity labels enable the labeling and protection of content, without affecting productivity and collaboration. (Customizable, Clear text and Persistent)
-Each item that supports sensitivity labels can only have one label applied to it
Sensitivity labels can be configured to:
-Provide protection settings that include encryption and content markings
-Apply the label automatically
-Protect content in Office apps across different platforms and devices
-Protect content in containers.
-Extend sensitivity labels to assets in Azure, Power BI, third-party apps and services.
-Classify content without using any protection settings.
After sensitivity labels are created, they need to be published along with a Label Policy.
Label policies enable admins to:
-Choose the users and groups that can use/see labels
-Apply a default label (all new emails or docs that the specified users and groups create)
-Require justifications for label changes -Require users to apply a label (mandatory labeling)
-Link users to custom help pages.
Once a sensitivity label is applied to an email or document, any configured protection settings for that label are enforced on the content.
Data Loss Prevention (DLP)
In Microsoft Purview, you implement data loss prevention by defining and applying DLP policies. With a DLP policy, you can identify, monitor, and automatically protect sensitive items.
-DLP detects sensitive items by using deep content analysis, not by just a simple text scan.
DLP policies are how you monitor the activities that users take on sensitive items at rest, sensitive items in transit, or sensitive items in use and take protective actions.
-Show a pop-up policy tip to the user that warns them
-Block the sharing and, via a policy tip, allow the user to override the block and capture the users’ justification.
-Block the sharing without the override option.
-For data at rest, sensitive items can be locked and moved to a secure quarantine location
-For Teams chat, the sensitive information won’t be displayed.
All DLP monitored activities are recorded to the Microsoft 365 Audit log by default and routed to Activity explorer.
-DLP policies can be created from predefined templates, or you can create a custom policy.
Data loss prevention capabilities extend to Microsoft Teams chat and channel messages, whether it’s in a message or a file, including messages in private channels.
-Administrators can use DLP policy tips that will be displayed to the user to show them why a policy has been triggered. (chat message that was blocked because the user attempted to share a U.S. Social Security Number.)
DLP policies applied to Microsoft 365 services, including Microsoft Teams, can help users across organizations to collaborate securely and in a way that’s in line with compliance requirements.
What is endpoint data loss prevention?
Endpoint DLP enables you to audit and manage the many activities users take on sensitive items that are physically stored Windows 10, Windows 11, or macOS devices.
-In the activity explorer, you can view information about what users are doing with sensitive content.
-Admins use this information to enforce protective actions for content through controls and policies.
Retention policies, Retention labels, and Retention label policies
Retention labels and policies help organizations by ensuring content is kept only for a required time, and then permanently deleted.
-Comply proactively with industry regulations and internal policies
-Reduce risk when there’s litigation or a security breach
-Ensure users work only with content that’s current and relevant to them
-Managing content commonly requires two actions: retaining content and deleting content.
With these two retention actions, you can configure retention settings for the following outcomes:
-Retain-only: Retain content forever or for a specified period of time.
-Delete-only: Permanently delete content after a specified period of time.
-Retain and then delete: Retain content for a specified period of time and then permanently delete it.
-if they edit or delete content that’s included in the retention policy, a copy of the content is automatically kept in a secure location.
-To assign your retention settings to content, use retention policies and retention labels with label policies. You can use just one of these methods, or combine them.
Retention Policies:
-Are used to assign the same retention settings to content at a site level or mailbox level.
-A single policy can be applied to multiple locations, or to specific locations or users.
-Items inherit the retention settings from their container specified in the retention policy.
Retention labels
-Are used to assign retention settings at an item level, such as a folder, document, or email.
-An email or document can have only a single retention label assigned to it at a time.
-Retention settings from retention labels travel with the content if it’s moved to a different location within your Microsoft 365 tenant.
-A retention label can be applied automatically if it matches defined conditions.
-A single retention label can be included in multiple retention label policies.
-Retention label policies specify the locations to publish the retention labels. The same location can be included in multiple retention label policies.
Records Management
Microsoft Purview Records Management helps an organization look after their legal obligations. It also helps to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be kept, no longer of value, or no longer required for business purposes.
-Labeling content as a record.
-Establishing retention and deletion policies within the record label.
-Triggering event-based retention.
-Reviewing and validating disposition.
-Proof of records deletion.
-Exporting information about disposed items.
When content is labeled as a record, the following happens:
-Restrictions are put in place to block certain activities.
-Activities are logged.
-Proof of disposition is kept at the end of the retention period.
Regulatory records provide other controls and restrictions such as:
-A regulatory label can’t be removed when an item has been marked as a regulatory record.
-The retention periods can’t be made shorter after the label has been applied.
The most important difference is that if content has been marked as a regulatory record, nobody, not even a global administrator, can remove the label.
Common use cases for records management
-Enabling administrators and users to manually apply retention and deletion actions for documents and emails.
-Automatically applying retention and deletion actions to documents and emails.
-Enabling site admins to set default retain and delete actions for all content in a SharePoint library, folder, or document set.
-Enabling users to automatically apply retain and delete actions to emails by using Outlook rules.
Unified Data Governance Solutions in Microsoft Purview
The Microsoft Purview governance portal provides a unified data governance service that helps you manage your on-premises, multicloud, and software-as-a-service (SaaS) data.
-Microsoft Purview Data Map provides the foundation for data discovery and data governance. By scanning registered data sources, Data Map is able to capture metadata about enterprise data, to identify and classify sensitive data.
–Microsoft Purview Data Catalog, business and technical users can quickly and easily find relevant data using a search experience with filters based on various lenses like glossary terms, classifications, sensitivity labels and more.
-Microsoft Purview Data Estate Insights, data officers and security officers can get a bird’s eye view and at a glance understand what data is actively scanned, where sensitive data is, and how it moves.
-Microsoft Purview Data Policy is a set of central, cloud-based experiences that help you manage access to data sources and datasets securely and at scale. (Based on role definitions that are simple and abstracted (for example: Read, Modify))
–Data owner policies. Access policies in Microsoft Purview enable you to manage access to different data systems across your entire data estate
–DevOps policies grant access to database system metadata instead of user data. DevOps policies only grant access. They don’t deny access.
–Self-service data access policies workflow allows data consumer to request access to data when browsing or searching for data.
-Microsoft Purview Data Sharing enables organizations to securely share data both within your organization or cross organizations with business partners and customers. (Preview)