Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What Are Office 365 Sensitivity Labels?

Office 365 Sensitivity Labels

An Office 365 sensitivity label is essentially a type of tag which is applied to content that contains sensitive data, whether text documents, spreadsheets, or emails.

Tagging sensitive content makes it a lot easier for security teams to keep track of where their data is located and how it is being accessed and shared. This in turn makes the data easier to protect.

Sensitivity labels can also be used to warn users if the document they are handling contains sensitive data, which may encourage them to be more careful with it. A document containing sensitive data can also have a retention label applied to it, which determines how long the document can be accessed.

Sensitivity labels in Office 365 have certain attributes. For example, they are customizable, which means you can create your own categories to suit your specific business needs. The labels are stored in plain text in the document’s metadata, to ensure that all applications and services can read the label and apply protective measures accordingly.

Sensitivity labels in Office 365 are also persistent, meaning that they cannot be tampered with by an unauthorized user. Administrators also have the ability to determine how the content is marked, whether that involves applying a header, footer and/or a watermark, as well as configure the font, font size, and color of the marker.

The Benefits of Using Office 365 Sensitivity Labels

By applying sensitivity labels in Office 365, you can;

  • Enforce encryption or watermarks on specific documents.
  • Protect sensitive content across multiple platforms and devices.
  • Allow third-party applications to read the labels, using the Microsoft Information Protection SDK.
  • Use sensitivity labels to help with usage reports and business analytics.

Who Can Create and Manage Sensitivity Labels?

In order to create and manage sensitivity labels you will need to be a Global administrator. However, other members, such as compliance officers, can be granted non-admin access to the Microsoft 365 Compliance center, Microsoft 365 security center, and Security & Compliance Center, where they can review the labels.

Global administrators also have the ability to set up groups and assign a Sensitivity Label Administrator to each group, who will have permission to create and manage sensitivity labels for any content that falls into their group. If you want to grant read-only access to labels, you can use the Sensitivity Label Reader, which is a dedicated role in Office 365.

Enabling and Configuring Sensitivity Labels

To get started with sensitivity labels, the first step would be to enable unified sensitivity labels in either the Microsoft 365 Compliance center, Microsoft 365 security center, or the Security & Compliance Center.

After setting up the necessary labels and roles, you will need to assign the relevant permissions and administrators. You will also need to configure your privacy and external user access settings, which involves deciding whether you want to allow people from outside of your organization to access protected content, and if so, the specific content they are allowed to access. Likewise, you will need to configure policies for external sharing and device access settings.

Encryption and Retention

As mentioned previously, applying sensitivity labels gives us more control over who can/can’t read documents containing sensitive data, and this is typically achieved through the use of encryption. If you want to be extra safe, you can encrypt sensitive data using Double Key Encryption (DKE), which, as you might have guessed, requires two keys together to access the protected content. As also mentioned, administrators have the ability to set an expiration date on the content, which would render it unreadable/inaccessible after the retention period has expired.

Auto-Labeling

Auto-labelling is a very useful feature, as it can identify and label sensitive data at the point of creation and modification. Auto-labelling is particularly useful when applied to emails that contain sensitive data, as it would be unrealistic to expect users to accurately apply the appropriate labels each time they send an email. This in turn will help to prevent data loss. Of course, automatic labeling is also prone to errors, and so there will need to be some form of human intervention to ensure that they are being applied correctly.

Alternatives to Office 365 Sensitivity labels

Office 365 sensitivity labels are suitable for most organizations’ needs. However, it should be noted that there are many third-party solutions that provide features/benefits that are not available in Office 365. For example, a third-party solution will be able to discover and classify a wider range of data types, in a wider range of documents.

Some solutions can even identify sensitive data found in images.

They can discover and classify data covered by the data privacy laws that are relevant to your industry, such as HIPAA, SOX, PCI, GDPR, CCPA, and more. At the click of a button, you can generate detailed and customizable reports, which can be sent to the relevant authorities in order to demonstrate your compliance efforts.

A sophisticated data classification solution will deliver real-time alerts to your inbox or mobile app whenever classified data is accessed, moved, modified, or removed. They typically use machine learning models to learn typical usage patterns surrounding classified data and even automate a response when classified data is accessed or used in a way that deviates from these patterns.

Office 365 Sensitivity labels are a powerful tool that will give you visibility in how your sensitive documents are accessed and shared. They also help to ensure that users are more careful when they are sharing sensitive documents. Finally, it’s worth noting that Office 365 now comes with Azure Purview Sensitivity Labels (currently in preview mode), which allows you to apply labels to schematized data like columns in Azure SQL DB, Cosmos DB, and more.

If you’d like to see how the Lepide Data Security Platform can help discover and classify your sensitive data, as well as helping to detect data security threats, schedule a demo with one of our engineers.