Speaking of security: Information protection

[MUSIC]>>Hello everyone and welcome to our webinar series is
speaking of security, where the CSEO Team shares
how we protect Microsoft. My name is Felipe LaMaitre, I’m Senior Director for Security Assurance and I will
be your host for this series. Today, we’ll talk about
information protection. I’m joined by one of our experts
on the topic, Jenn LeMond. Jenn thanks for joining us.>>Happy to be here.>>Jenn, can you tell a little bit about yourself to
the audience please?>>Absolutely. So
my name is Jenn LeMond. I’m the Director of a team called Protection Services which encompasses
vulnerability management, anti-malware, and
information protection.>>Perfect. Thank you. So here’s
the agenda for the next hour. You can submit any questions you have into the question
window at any time. We will do our best to
answer them out loud during the presentation or at the end
during the Q&A session. Before we get started, I want to share some insights
on our internal IT system. So some people think, as you know, that they are very homogeneous, but that’s just not accurate. We have a very diverse ecosystem, we have more than 30
different operating systems, including half a million Linux hosts and one of the largest
population of Mac PCs, and it’s also a very
large-scale environment. We have over 1.2
million devices hitting the corporate network every month and 20 billion security
events per day. To add more complexity, we have multiple
security organizations distributed all across the company. So it’s a very complex, very
large-scale environment. In order to navigate these, we have been putting a lot
of effort simplifying our security strategy and bringing together all of these different
services that we provide, all the initiatives, all the
investments that we have collectively to protect the company in a way that everyone
can understand. We use this framework based on
this stool to tell the story, and we use it to talk to from
the costumers to the board of directors in
a unified and simple way. At the top, you have
information protection, that’s the topic for
today’s discussion. That’s the core
objective of what we do. In order to achieve
information protection, you need to have a solid foundation
on these three key pillars. You need to have insightful data and telemetry across
the Cloud and on-prem, you need to have
strong identity management, and you need to ensure you’re
using healthy devices. You build on top of a foundation of strong risk management
and assurance to make sure that what you think
you’re doing you’re actually doing. It is important to recognize that there are no silver bullets in this. You need to make sure
that you’re doing all of the investments at the same time. Otherwise, what happens is that
if you deinvest in one of them, the stool is going to break. We take all of our
investments as I was saying into these five different pillars. We can see across the screen, in the next slide, all the investments and how our different strategies
map to these six things. We have the services that
we operate day-to-day, and then we have epics which are transformational energies
that eventually will become their own services, will be merging into
an existing service, or will be consider a great exercise that we
don’t need to continue. That’s how we think about
the entire portfolio of investments. We’re going to talk about the
last one, information protection. With that said, Jenn
help us understand, how do we think in Microsoft
about Information Protection?>>Thank you Felipe. So we’ve also simplified our messaging
around information protection. We break it down into, first, you need to discover where
your information is. So identifying where your data is, where your major storage places are, is it on your end point? Once you’ve understood the ecosystem
of where your information is, it’s important to classify it. So you can understand here
is stuff that’s public, that isn’t the stuff that I
really care about necessarily, what I’m really looking
for are the things that are confidential
or highly confidential. So personal information,
customer information, that is the core of what we’re
trying to protect at Microsoft. The next piece, which is a lot of people miss especially in the beginning of an information
protection program is remediation. So a lot of data gets created before you
start rolling out the tools, and you need to go
back and find all of that information and
either clean it up, delete it, or protect it. Then finally, where we
really want to get to is as information is being created
is protected automatically.>>So you’ve been in this journey for many years thinking of
all of these four areas. Which one do you think it’s the area that provides
the biggest bang for the buck for smaller companies or medium companies that are just starting to work on
information protection?>>So the biggest
bang for your buck is really finding your data and
identifying where it is. But specifically,
the parts that you want to focus on and we’ll show
a little bit about this later, again it’s your customer data. Building customer trust and
protecting customer information is key to an information
protection program. You would think that at
a place like Microsoft, protecting intellectual property
would be our core focus, it isn’t really that. It’s ensuring that our
customer data is handled properly, it’s classified correctly,
and it’s protected.>>Right. Which has even more
importance in the current climate of all of these new efforts
that are already out there like GDPR and are
coming on the pipeline?>>Yes. So at Microsoft, customer trust is always
been a core pillar for us, but GDPR has sort of set the bar
for all of our information. We’re a global company, and so using GDPR is the baseline for how we think
about information and how we protect information is one of the key tenants that we
build our platform on.>>Okay. So tell us
about the journey. How did this these
happen for Microsoft, and where are we in this journey?>>It’s easy. No, I’m just kidding. So we started this journey
about five years ago, and this was before we had a lot of tools that can classify
information for employees. We started with
three classifications. It was low business impact, medium business impact,
and high business impact. But that meant that end-users
actually had to type in those classifications into documents and spreadsheets
and it doesn’t really work for things like
data storage or databases. So when Microsoft started building
information protection tools, we took an opportunity to really
look at those labels and say, “Do they make sense
for our end-users?”. What we found, we
actually did surveys, and we found no one at
the company really understood how to apply any of those labels to any
of the documents that were there. So we took an opportunity
to take a step back, look at our labels, and began a journey to change them. I’m stressing this point
because oddly enough, this was the hardest part
of building a program. It wasn’t actually
rolling out the tools. It was getting legal and HR and all the different groups to agree that non-business
public general, confidential and highly
confidential, were the right words. For example, we started with personal as where we
have non-business today. We realized that that
was a very loaded term, especially around the world. So that’s why we changed
that to non-business. So once we had the
foundation of the labels, we started rolling out the tools. Again, the tools were fairly easy. The next big piece we had to
focus on was education and awareness. We have all these new labels. We suddenly have a new tool
set that makes it super easy for an employee
when they’re in their e-mail or in
their office documents to think about the data
that they’re working with, and actually apply a label. So that’s what we call the “User Assisted Classification
and Protection.” Once we had that rolled out, we started the process
of finding the right, what we call “RMS” templates to apply when you’re looking at
confidential, or highly confidential. Today, if you click
one of those terms, you’ll be prompted to apply
a specific template for it like, “FTE only” or “I only want to share this particular document
between you and I because the conversation
we’re having is private.” Once that was done, we spent a lot of time working
with the product groups, and they started to build in
things like recommendation. So in my Office experience and I’m working on information and you’ll get
these little tool tips that’ll say, “Hey, it looks like you’re not
working on general business data. It looks like you’re
working on highly confidential or confidential data.” So why don’t you potentially
classify that correctly? We found that about 50
percent of the time, users actually increase
the confidentiality Of that document that
they’re working with.>>Usually machine-learning and
these type of technologies.>>Yes, trying to understand what the information
people are working with. Then, where we’re hoping to go
is automatic classification. So like a lot of the tools that
are on the market including ours, there is still a false positive rate
in those tool tip. So we’re not quite ready to start auto-protecting and
auto-classifying their information, but that is where we’re
hopefully heading.>>Okay, I find it fascinating that there’s so much energy
invested behind the labels. You would think that
the discussions around technology, or the legal implications
of not following through. But the core problem
at least for us was, what’s the best label.>>Right. Part of that is because, again, we can’t
automatically protect yet, so we need our users to really understand what data
they’re dealing with, and an easy way to go, “Yeah, this is a term
that makes sense to me. This is confidential. I need to keep this more protected
than my general business data.” Then, in a highly confidential, this is really key in that, that is typically where
our customer data is. So any customer data that we’re
dealing with, or secrets. So passwords and keys and
those kinds of things. Those are the things that we
really need to keep protected. We need a terminology that was
easy for users to understand, because it’s really
in our users hands.>>Right. So let’s continue
on the labels for a moment.>>Okay.>>On the slide that we
were seeing a moment ago, you talked about non-business
and other alternatives. I think that’s a good insight
that non-business use less load. I think you have also some learnings regarding confidential
and highly confidential on the importance of having both and calling them like these
instead of other words.>>Yeah. So what we’re doing there is really separating
two types of sensitive data. So confidential for us is
typically going to be patents, pre-released code, new
products that are coming out. It is important to protect that data. But we also needed to separate the keys to the kingdom which is
protecting our customer data and ensuring that we had
a separate label and a separate pipeline for
protecting that information. So patents and things absolutely need to keep
them inside of the company. They are not as important as our user information,
our customer information.>>Okay. Is that the reason why you went for five instead
of a smaller number? I think that there’s always people that would argue that’s too many.>>Yes. We did have that discussion. But we found especially at Microsoft, we have very blended work lives. So we’re allowed to do our personal
stuff on our laptops, we are here, working, and sometimes
you have to engage in e-mail that is non-business related. So that’s why we have non-business. We’re also a company that produces
a lot of marketing material. So a lot of information that we
do want to share with the public, and so we needed public. We’ve done a huge bucket
in the middle of that. That is just the
day-to-day business data. It’s not public, but
it’s not confidential. We don’t necessarily need to
encrypt it, and protect it. So that’s where the general label, we almost didn’t do general, we were just going to
do the two pieces. But we needed a way to with the tools to identify this big
middle bucket of information. Then, like I said, the reason we went confidential, highly confidential is, we wanted to separate the concepts of super secret business data
versus our customer data.>>Okay. Do you have any advice for companies that may be in
a different place in the journey? Right now, you said we’re in
the third phase in hybrid.>>Yes.>>Or there’s may be
earlier on these process. Are there any other tips
that you can share besides the importance of properly
aligning everyone behind labels?>>Yes. Actually, I’m going
to go to the next slide.>>Great.>>We’ll tee up. Maybe. Okay. we will tee up
this part of the conversation. So if you’re early in
the information protection journey, you start with governance,
risk and compliance. So it’s legal and HR that are
going to help you to find the most important buckets of information that you need
to focus your attention on. The second is education and awareness and this is why
those labels are so important. So that is the foundation
for how you’re going to mark the difference between your confidential versus
your general business data. The tools honestly are
the least important. Most of the tools, all
do the same thing, it’s building the foundation for
how you’re going to communicate, how to handle your information. So that’s the groundwork
that I would lay first and then the focus should always, always, always start
with customer data. So again, we’re building trust as companies when we’re interfacing
with our employee information, or our customer information. That also tends to be
the easiest part of using the tools because a lot of identification numbers
are structured. Credit card numbers are structured and so the false positive rates on those particular classes
of data tend to be the lowest within information
protection tools. So always, always start there. Once that’s complete, we’ve brought in relatively new concept
which is protecting secrets. So in our previous webinars, we talk about the fact that
identities are extremely important and you have to have
an identity to interact with data. So protecting our identities is an extremely important part of
the information protection journey. So we’ve recently received a set of rules in a lot
of the tools that we have that look for clear texts, usernames and passwords
and Azure keys and secrets and certificates
and those kinds of things. So the second phase of
our remediation journey was lighting up all
of those rules and we find a lot of people that were storing passwords in
things like OneNote because they didn’t think about the fact that those
could also be access, especially in a Cloud-first world. So we’ve been on a journey of helping people again if there’s a lot of education
and awareness, where do you, if I can’t store my secret in
OneNote, where do I store it, and things like so
lighting up Key Vault and some internal tools to
help protect that data. Then finally, other
confidential data and this typically should be the last
and it is the hardest to do. So things like, how can I tell
if a document is a trade secret? I have to interact with the group
that does trade secrets. HR data is going to have a very specific structure
within your company. So we have what we call
a white glove service, where we will go work with HR, understand what
their documents look like, what they’re most concerned
about protecting, and we’ll build specific programs
for specific business units.>>Sounds like each one of these
three pillars requires a lot of energy and investment in
order to be properly done, I mean, white glove we’ll
know what that means.>>Yeah.>>There are a lot of people
working with customers that have perhaps the interest and perhaps not so starts
with convincing.>>Yes.>>The one in the middle,
I’m especially passionate.>>Yes.>>It’s a space that
it just keeps giving.>>Yes.>>You think that you have identified all the locations where
a secret can be stored, and you discovered that
there’s another location.>>Yes.>>They are in the code, they’re in OneNote, they’re in SharePoint.>>Yeah.>>In the draft folder of exchange.>>Right.>>I mean it’s massive. Would you agree that that’s as understated area of investment
for a lot of corporations?>>I believe so. Part of that is because a lot of the tools didn’t support finding secrets like that. So this is a relatively
new capability that we’re starting
to take advantage of.>>Yeah, so sometimes we
need to build those tools, sometimes we can use first-party products from
Microsoft to do this, but sometimes we just need
to hack a way through.>>Yes. Yeah.>>What would you say is a another overstated
or understated area of investment here that you would? Just sharing advice, hey, this is a lot of marketing, so overrated perhaps
is the right word or underrated because we see a lot of value and no one’s going after it.>>So in the overrated, and I’m sure the audience will agree, if you’ve tried to do
any information protection, that the tool will just magically find all your information for you. That still is just not the case. A really good example is, so when, doesn’t happen very often, but when there are crashes
in the operating system, it creates a file
called a memory dump. It just so happens that the memory structure or the data structure mirrors
social security numbers. So that happens to be
a big false positive place for us. I have found that with
any tool that I’ve used over the last 10 years that their
usually needs to be some pre-processing to reduce
false positive rates that we still aren’t there yet. What I’m hoping is as things
like machine learning and artificial intelligence become
more accessible to people like me, that that is an area
that could really impact finding and understanding data and data structures
that hopefully can reduce that false positive
problem in the future. So we don’t have to
engineer around it.>>Yeah.>>Yeah.>>I would agree when
you’re walking through the expos the amount of marketing and materials that
sell dreams is massive, so absolutely a highly
overrated area. Is there an underrated area
as well that you think here?>>So I think an underrated area and another way to think about how to tackle what can be
a very massive problem, especially when you’re first
starting is a file on your laptop, the thing that I need to
go after, for example. Even within the customer
and regulatory data space, we took another crack at slicing which documents
we were going to go after. So, for example,
Azure Information Protection has a file share scanner. We are dealing with somewhere in the neighborhood
of 200 million documents. Not all with secrets in them, but there is a large chunk of
that with secrets in them. So the first thing that we started to tackle is the file share wide open. Everybody has access, so we started with that chunk
of information. Then we’re looking for
other broad access groups and then we tackle that side. So we break it up into chunks, remediate that chunk
first and then move on to the next level of risk, if you say. Secrets that are going
around internally between you and I in e-mail. That’s less important to me than one that’s going out, for example. So it’s another way to tackle the problem and another way
to think about it. This is one area you don’t
want to boil the ocean, you just won’t get anywhere, and it’s too overwhelming.>>I like what you’re saying, where you are breaking down
the problem to small chunk. What I would add is, as you finish one of the chunks, it’s good to bring
a layer of how do I avoid this from ever
coming back from my system. So you move from only
getting to green, if you wish, on the burndown,
to purging, permanently, the problem because it
cannot come back again, you have engineered a solution
where you cannot save, or you cannot check in code, or whatever is the motion,
now it’s forbidden. Then, you stay green. Because I think that’s another area where people living these burndowns. They do a lot of
energy, they remediate, and they change
the energy, goes back up, and then this is going to be the emergency of
people in five years.>>Yes. You’ve actually
brought up a fantastic point. So finding and remediating
the data itself is one piece, but if you don’t tackle the root cause of why
that data landed there, what was the end-user thinking? Did they not have the right tool to do the thing they were trying to do? Did they just misunderstand how
that data is supposed to be used? Then, hopefully, putting technology in place
to stop things like that. But again, this is
another opportunity for education and awareness. So the team, I would say, when we find information
being mishandled, 90 percent of the time it’s
just a bad business practice. You’re right. You have
to go back and fix the bad business practice, otherwise, you’re just going to end up with another pile of remediation
you need to do in the future.>>Right. You’re
managing symptoms and that consumes your bandwidth
but at the end, you’re not building into the future for
a higher level of maturity, you are just surviving. You’ll never move away. So you’ve touched on
a very important point; education and awareness. Until tools mature
to the right point, you depend on the user. So how do we think about this effort? How do you see the investment
between the technology-side, the technical humans, and the more education and
awareness efforts, which are different skill sets
and different teams?>>Right. So I think
some of the learning is, there isn’t a one size fits
all for education awareness. The types of processes again, like, HR and finance use are very
different than our developers, for example, which is
where we tend to find the most identity secrets. So there’s general
education awareness campaigns that we do
for the whole company, but we’ve also done
some very focused training. For example, for developers, where we brought them all
through and we talked about how they need to manage
their secrets and their data because that’s usually about
how do you write secure code? How do you lock down your databases? How do you ensure that you’re
encrypting the right columns? How do you ensure that you don’t
have usernames and passwords in your code to access the databases? Then, what we would love to
get to is you do the training, they go, okay, yeah, we got it, and then they’re going to forget
in a month or two months. So that’s where the tool-tips in the products itself is so important. So I forgot my training and
I’m working with a document. When you get that little
tool-tip that goes, hey, it looks like you’re working
with sensitive data, it’s an immediate feedback
to the end-user. That, Oh that’s right, I need to think about this. So it keeps them aware
in real time over time.>>Okay. How long do
you think it takes for new labels and behaviors to
fully land on our user-bases? Is this a six months, one year, two years. I know it’s hard to measure, but do you have any ballpark numbers?>>I would say it probably
took about a year. As we rolled the tools out, we were tracking how many people were labeling confidential
or highly confidential. So we had a baseline before we started rolling out
these education awareness campaigns, and you could see things beginning to land by the change in the way
the labels were being used. When we did the big in-person
training with our developers, we did see a big spike in
how those labels were, well, just that the labels
were being used at all. Then, we do also see, like I said, when we work specifically with a business group that we know
how sensitive information. Again, that’s your HR, that’s your
legal and your finance groups. Focus on those and help them get up to speed on how
the tools are used, and you can see sort of gradual
increases in labels being used.>>Got it. So we’ve covered
a few questions from the audience. I have a couple of
additional questions.>>Okay.>>How do you think about
data loss prevention metrics, and how do you tell stories
around effectiveness? Do you connect these metrics
to something else? How is that metric side going?>>The metrics side.
That’s always fun.>>It’s important though?>>It is absolutely important. So anytime, let’s say, turn on a new rule. You run the rule across all of your data-sets and you get
a baseline of the problem. So we always start
with that baseline. We also track that baseline
by business unit. In business unit at
Microsoft is the name we use for a division within our company, again, HR, legal,
those kinds of things. So you start with your baseline, and then we track
our remediation efforts. So you should see and then
we call them burndown list. So let’s say, I discover 1,000 sensitive documents
that are not protected the way that they’re supposed to be protected and you have that burndown. What you want to layer
on top of that is, again, the increase in label usage. So burning it down is
a discrete bucket of work, but the next thing
you want to see is, did I fix the bad business practice? Meaning, I’m seeing
label usage go up, confidential or highly confidential being correctly and
accurately applied to the rules that are firing
within a specific tool-set.>>Okay. You touched on a point that we covered
in a previous webinar, which is the importance of having the right governance in all of this, and how do you display
things as a division leader? How do you bring representatives
of the different divisions, and what’s the governance model
to hold them accountable?>>Yeah.>>If someone’s interested, you can go to the Risk Management
webinar that we recorded before. I think that’s a piece that
sometimes it’s also underrated, and people believe
that attacking with either technology or a lot of
marketing is going to be enough, but you need to bring the right
governance layer to all of these. That’s why it’s the foundation
when we think about the stool and the framework
that we were talking before.>>Yes, absolutely.>>So another question from
the audience, thank you. What’s your thinking
regarding migrations from legacy templates and legacy labels into whatever is going
to be the new one? Right now, you are in a process, but eventually in a few years
we may need to evolve again. So how do we think about that?>>So that was a part of the program, and part of what we did was we set up a rule to flag
low business impact, medium business impact,
and high business impact. Because that gave us a sense of A, what had actually been classified. Because it was all manual,
there wasn’t a lot. Nobody’s going to type
low business impact, medium business impact, high
business impact into a document. The goal is, actually I’m
going to take a step back. So when you’re tackling
all of this information, one of the biggest things
you can do is see how old is that information and
has it been accessed recently? If it hasn’t, get rid of it. That’s the easiest thing to do, delete as much of the sensitive information
especially if you’re not seeing it being used or it’s 10 years old. We’ve found caches like that. So get rid of that pile. Then as people are, again, interacting with the document, so now if we’ve gotten rid
of the files nobody’s using, if they’re interacting
with a document, again, they’re going to get
that tool tip that says “Reclassify this into one
of the current labels.”>>You actually bring
a advice that I think applies to a lot of
different situations which is, before you drive a burn-down or
you start to solve a problem, the first step is how much can I delete without even thinking
about removing secrets, or securing, labeling, or
whatever is the operation. In the security space, sometimes we jump into the solutioning and we should
take a step back and say, “Everything that looks like this, let’s do a screen test, delete, you store it
for a little bit, if no one complains then you
have a much smaller burn-down.” That applies to branches in the code when you’re
thinking about app security, that applies to document, or file stores, or data repositories. I think it’s a great insight, so thanks for bringing that out. So let’s talk about what type both strategies are you using and what type of tooling are
you thinking about in here?>>[inaudible] I’ll give that to go. So we are using a 100 percent of Microsoft’s products
which obviously makes sense. So we use Office
Information Protection. So for SharePoint, OneDrive, and Exchange we are piloting
Windows Information Protection. That’s a little more complicated when we’re talking about endpoints, and then Azure Information
Protection which has two pieces. One is the labeling functionality that we can push to
the endpoint that, again, puts those labels and
those tooltips into Office documents as well
as a file share scanner. So what we do with
that information is we light up the rules and actually, sorry again, I’ll take a step back. So we light up a set of rules, so one of the other things that
I don’t hear a lot about is, again, we’re a global company. It’s got to be bigger than social security numbers and credit cards. That is very US-centric way
to look at the problem. But when you look at all the other identity numbers
that are out there, I think there’s something
like another 60 rules that you turn on when you’re talking about global sensitive information. So we turn those on in pieces, so we can work around, see what is the false positive rate? Is this something that we’re actually going to have
to essentially pull out the system and apply some logic to reduce the false positive rates before we can start remediation. Then we pull the information out, and for things that
aren’t being remediated we send e-mail to the user, that’s the first strike. If they don’t fix the problem, we send a second mail that
includes their manager, and if that doesn’t work
then we auto protect. So we’ll auto-apply an RMS template
that will lock the document down.>>Okay. Again, thinking
about bang for the buck, what would be your advice for older companies that haven’t
deployed everything? Where would you start the energy behind
these three potential options?>>So I would look across the company and find the logical places
where there’s going to be, again, that first pillar. Where’s your customer data? Where’s your sensitive information? Where’s your regulatory information? You will always start there. So you focus on your education
awareness there, for us, it’s going to be HR, legal, finance, and then products like, oddly enough, our Cloud offerings. That’s where our customer
information is and that would be the focus
for us in where we want to ensure that we had the tooling to discover
sensitive information, where we’re going to
focus our energy on education awareness and
that’s where we would focus any white glove projects to help ensure that
those things are secure first. Then also applying
that other risk pivot. Is it externally facing? Is it a wide-open share? Is it information that is leaving the company versus
staying around in the company? So between those two lenses, that’s where I would start.>>Okay. Thank you. So we have one more question
from the audience. You have these big universe
of information, a subset of the
information is labeled, and you are growing that universe with all of the efforts that you’ve
described before. However, there is still
a fairly large set of information that is
not properly labeled yet. How do you think about
this other side of the universe?>>So with those same lenses, the things that are not labeled, one of the questions
is, does it need to be? So we do automatically label, for example, all of our
e-mails we start with general. So we can see things that
are shifting back and forth. But for data that has not been labeled or essentially created before the tooling was there, the first question is, does
it need to be labeled? Because I would say 10 percent of the information that’s
out there falls into that highly confidential
or confidential bucket.>>Only 10 percent?>>Yes. Because well, I don’t know if it’s just Microsoft
because we send millions of e-mails, virtually nothing, so it’s rare for us to be exchanging information that is sensitive. So take that bucket out and for the rest of it
that’s where we’re focusing these burn-down campaigns in exactly the order that we’ve
discussed before around. Here’s the stuff that does need to
be labeled that is not labeled. We’re going to focus
on anything that is high risk because of
the environment it’s in, because it’s publicly facing
because it’s on a wide-open share. We will focus always, always, always focused on
the customer information.>>Great. I think you have a few best practices to
share with the audience.>>Yes. So I know that
we’ve talked about this, but it is key to choose classification terms that
make sense to your end users. Until that magical day
that AI understands all of the information
that we’re working with and can automatically protect, we are heavily dependent
on our end users doing the right thing with the information
that they’re working with. So choosing labels that are simple to understand and then tracking
how those labels are being used is a key piece to the foundation of
any information protection program. Then proactively educating. You can roll out labels and your users are going to
look at them and go, “I don’t know what to do with this.” So building things, one of the tools that we built internally
was a classification wizard. So it’s a website
with a whole bunch of different data types
and you can click on a little check box and it’ll say,
“That’s highly confidential.” So anything you can do to help an end user help themself is going to reduce the toil on
your information protection team. We need people doing the right thing as part of
their day-to-day business. Which takes me to
the third bullet that’s up there is the more that
you can just make this into your end user’s
day-to-day work experience where it isn’t something
separate that they have to think about will increase the success of your documents and
your information being labeled the way that it should
be just right off the bat.>>Great. That’s
great advice. Thank you.>>You’re welcome.>>I think we’d have
one more question here. When you recommend labels, how do you do that? Is that DLP policy? What’s the process behind
those recommendations?>>Yes. So it is built-in to the DLP policies in
SharePoint, OneDrive, and Exchange, and essentially
within the policy you set the rules that
you’re looking for. So let’s say credit card
number for example, and credit card numbers
are highly confidential. The tool itself will
actually recognize that piece of data and that’s what causes the tool tip to
pop up for the end user. So it’s based on the rule set
that you set in the policy.>>Okay, perfect. So thank you for that. We have a few resources
for people to follow up, and with that said I think we’ve covered all the questions
from the audience. So thank you for that. Jenn I really want to thank
you for all your insights, your information, and
for all your time, so thank you for that. Thank you everyone for joining us. We really hope this was
valuable for all of you. We’re facing similar challenges. We’re big believers
as I’ve shared many times in sharing and
learning from each other. You can go to Microsoft.com
IT showcase to find the on-demand version as well as many other webinars that
we talked about before. It’s a fairly large series and I
hope that it continues growing. Thank you for your time and
see you in the next one. [MUSIC]

Leave a Reply