Information Security & Compliance in O365 for SharePoint
Ajay Iyer
Sr. Consultant (Microsoft)
Ajay Iyer
Sr. SharePoint Consultant (Microsoft)
Dabbling with SharePoint for over 10 years
SharePoint Online, OneDrive for Business, Search, Security &
Compliance, Migrations, Enterprise Content Management
Speaker at SharePoint Saturdays in Minneapolis, Nashville, Chicago,
Cincinnati & St. Louis
Twitter: @shankarajay1
Objectives
Simplify and protect access
Allow collaboration and prevent leaks
Stay compliant
Secure administrative access
Requirement(s)
E3 or E5 Plan in Office 365
On-Prem AD synchronization with Azure Active Directory
(AAD)
Azure Subscription (if using Azure Information Protection)
Requirement(s)
E3 Plan E5 Plan (includes E3 features plus)
eDiscovery Legal Hold Advanced eDiscovery
eDiscovery export & case management Advanced Data Governance
IRM, DLP & Encryption
Security & Compliance
Legal
Medical/HIPAA
Intellectual Property
Medical/HIPAA
Office 365
Why Security & Compliance?
Establish Information Protection Priorities
Set Organization Minimum Standards
Find & Protect Sensitive Data
Protect High-Value Assets
Security & Compliance Center
or browse to https://protection.office.com
Security & Compliance Center
Security & Compliance Center
Data Classifications
Data Loss Prevention
Data Governance
Search & Investigation
Data Classifications
Labels
Labels are just like the old Content-Type Retention Policies in SharePoint On-Premises
Retention Policies can be applied Tenant-wide or specific mailboxes, sites, OneDrive users
and groups
Labels can be applied automatically to new & existing content, per document library in
SharePoint Online
Data Classifications
Labels
Auto-Apply Labels are AWESOME
• You don’t need to train your users on all of your classifications.
• You don’t need to rely on users to classify all content correctly.
• Users no longer need to know about data governance policies – they
can focus on their work.
Data Classifications
Labels
You can choose to apply labels to content
automatically when that content contains:
• Specific types of sensitive information.
• Specific keywords that match a query you create.
Data Classifications
Labels
Manage lifecycle of Emails & Documents using Retention Features
Retention Tags & Policies
Document Deletion Policies
Preservation Policies
Data Loss Prevention (DLP)
Data Loss Prevention (DLP)
• Policies can span all locations in O365 including
Exchange Online (EXO), SharePoint Online (SPO) and
OneDrive for Business (ODfB) or you can choose
specific payloads
• Detect when this content is shared outside your
organization
• Ability to test the policy, while it's being created
• Can customize tool tip messages & email text
Search & Investigation
Search for sensitive content in your tenant & create saved searches
Review O365 audit logs
Create activity alerts for "specific users"
Create & manage eDiscovery cases
Security & Compliance in SharePoint Online
Security & Compliance in SharePoint Online
Recommended to set Default Link Type to “Direct” or “Internal”
Security & Compliance in SharePoint Online
Recommended to limit sharing to specific domains, if possible
Security & Compliance in SharePoint Online
Recommended to set expiry on Anonymous links
Security & Compliance in SharePoint Online
If needed, restrict access to your sites based on certain IP subnets
Security & Compliance in SharePoint Online
Restrict access from apps that don’t support modern auth’n
Security & Compliance in OneDrive for Business
Restrict access from apps that don’t support modern auth’n
Security & Compliance in OneDrive for Business
Restrict access from apps that don’t support modern auth’n
Recommended to limit sharing to specific domains, if possible
Recommended to set expiry on Anonymous links
If needed, restrict access to your sites based on certain IP subnets
Cloud App Security
Cloud App Security
Enterprise-grade security for Cloud Apps like O365, Google, AWS,
Salesforce, ServiceNow, Dropbox, etc.
Provides App Discovery, Data Control & Threat Protection (e.g.
Ransomware)
Available with Enterprise Mobility + Security E5 subscription or
standalone at $5/user/month
Objectives
Simplify and protect access
Allow collaboration and prevent leaks
Stay compliant
Secure administrative access
Summary
Encourage users to set permissions on documents
Configure External Sharing policies
Configure Device Access policies
Use Labels to implement Classification-based protection
Stay compliant with retention policies on labels
Configure DLP to protect unauthorized access
Separate duties of administrators by role — SharePoint Online,
Exchange Online, and Skype for Business Online
https://support.office.com/en-gb/article/Overview-of-labels-af398293-c69d-465e-a249-d74561552d30?ui=en-
US&rs=en-GB&ad=GB#howlong
https://technet.microsoft.com/library/dn876574.aspx
Real Life Application by MSIT (Case Study) - https://msdn.microsoft.com/en-us/library/mt718319.aspx
Advanced e-Discovery in O365 (Channel 9) - https://channel9.msdn.com/Shows/Mechanics/Office-365-Advanced-
eDiscovery
Plan for Security & Information Protection in O365 - https://support.office.com/en-us/article/Plan-for-Office-365-
security-and-information-protection-capabilities-3d4ac4a1-3920-4ff9-918f-011f3ce60408?ui=en-US&rs=en-
US&ad=US
What is Cloud App Security? - https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security
Anonymize Cloud User Discovery Data - https://docs.microsoft.com/en-us/cloud-app-security/cloud-discovery-
anonymizer