Protect your data

  • 7 minutes

After you identify and classify your sensitive data, the next step is ensuring that this data remains secure across all environments. Protecting data isn't just about meeting compliance requirements. It's essential for reducing the risk of breaches and keeping sensitive information safe throughout its lifecycle. Several tools within the Microsoft ecosystem help you apply protections like encryption, access controls, and monitoring, ensuring that the right security is applied to each data type and location. Here's a framework for protecting sensitive data effectively:

  1. Define your sensitivity labels: Start by defining sensitivity labels that suit your organization's specific needs. These labels can be customized to reflect various data classifications, such as confidential, internal, or public, based on the type of content and the level of protection required. Sensitivity labels ensure that all content, from highly confidential data to general information, is handled according to the organization's security policies.

  2. Apply labels using Microsoft 365 apps and services: Once sensitivity labels are created, they can be automatically or manually applied across Microsoft 365 applications, such as Word, Excel, and SharePoint, ensuring that the proper protections are in place. Users can work confidently within their day-to-day tools, knowing that the necessary safeguards, such as encryption or access restrictions, are being enforced. This consistency helps maintain security across all shared or stored content.

  3. Use Microsoft Defender for Cloud Apps to apply labels in the cloud: Sensitive data often resides beyond Microsoft 365, stored in non-Microsoft cloud services or SaaS applications. With Microsoft Defender for Cloud Apps, you can extend your sensitivity labels to these environments, protecting data across cloud platforms like Dropbox or Salesforce. This capability ensures that sensitive information remains secure, even when it moves outside the immediate Microsoft ecosystem.

  4. Use the scanner to apply labels on-premises: For organizations managing data stored on-premises, the Microsoft Purview Information Protection scanner helps you discover, classify, and label sensitive data across file servers and repositories. By scanning on-premises environments and applying labels consistently, you ensure that sensitive information is as protected as data stored in the cloud or within Microsoft 365.

  5. Use Microsoft Purview Data Map to apply labels to schematized data assets in Azure: When dealing with structured data in cloud environments, Microsoft Purview Data Map allows you to apply sensitivity labels to schematized data assets in Azure. This approach helps organizations maintain a clear view of their data landscape and ensure that sensitive data in cloud databases or other structured formats is adequately protected.

Diagram illustrating the steps needed to protect your data for Microsoft Purview Information Protection.

How sensitivity labels protect your data

Sensitivity labels play a vital role in safeguarding sensitive content, offering multiple layers of protection. Once labels are defined and applied, they automatically enforce the necessary security measures to ensure that data remains protected no matter where it goes.

  • Encryption: Sensitivity labels can automatically apply encryption to sensitive files and emails, ensuring that only authorized users with decryption keys can access the content. This feature protects data even when stored or shared externally, maintaining its confidentiality and preventing unauthorized access.

  • Access control: You can use labels to restrict access to sensitive data, controlling who can view, edit, or share specific content. For example, a file labeled as "Confidential" might only be accessible to a select group of employees. This measure ensures that the right people have access to the right information and limits the risk of unauthorized access.

  • Visual markings: Sensitivity labels can add watermarks, headers, or footers to documents, providing a visible indication of the content’s sensitivity level. This feature helps users quickly identify how to handle documents, reducing the risk of unintentional misuse.

Securing emails with Microsoft Purview Message Encryption

Emails often contain sensitive information, making email security a crucial component of data protection. Microsoft Purview Message Encryption enables organizations to protect sensitive emails, even when sent outside the organization.

  • Automatic encryption: Policies can be set to automatically encrypt emails that contain sensitive information, ensuring they remain secure when shared with internal or external recipients.
  • External access: Recipients outside your organization can access encrypted emails using a secure one-time passcode or a Microsoft account, ensuring that external partners can collaborate securely while maintaining the confidentiality of sensitive content.

Protecting data beyond Microsoft 365

Sensitive data doesn't only reside in Microsoft 365, and Microsoft's protection tools offer coverage across various environments, including non-Microsoft cloud services and on-premises repositories. This comprehensive approach ensures that all sensitive information is protected, regardless of where it's stored.

  • Microsoft Defender for Cloud Apps: Extend your organization's security policies to non-Microsoft cloud services like Google Drive or Dropbox. Microsoft Defender for Cloud Apps helps ensure that the same sensitivity labels and protection measures applied within Microsoft 365 can be enforced in non-Microsoft cloud environments.

  • Microsoft Purview Information Protection Scanner: For on-premises environments, the scanner enables organizations to apply the same sensitivity labels used across Microsoft 365 to files stored locally on servers or repositories. This capability ensures that no sensitive data is left unprotected, regardless of its location.