Best practice basics for Labels and DLPs to protect company data
Hello experts,
I’ve been doing some research and testing recently on Information protection and DLP as I would like to deploy it in our organization soon. I am very new into this and found lots of useful information, but still can’t answer some very basics for this topic. Would be great to get some advise from ppl that has been using it already. Below are few points that I’m a bit confused and trying to find some clarification. We use exchange online and SharePoint as primary way to exchange information with our external partners. We are licensed with M365 E3 + M365 E5 Security
I will create 3-5 labels (based on my testing) and would like to have all documents labelled. For that reason, I would like to use a “default” label feature and have data labelled with that label (Internal) accessible only for internal users. Now, I could achieve it with configuring “Access Control” and allow “All users and groups in your organization” option. This is fine however I’ve found MS recommendation that default label should not be encrypting data. How can I then achieve that? I’ve seen advise to remove encryption for that label – but there is no option to remove encryption when configuring “Access Control” for specific users. Or should I just use that label to mark data and do not perform any action? and use DLP to block all emails/documents with Internal label to be shared outside organization?one of the disadvantage I’ve noticed during testing was that “auto-save” for documents is disabled with encrypted label. I’ve found that enabling “co-authoring” on tenant should solve that – so I’ve enabled it and will be testing tomorrow.What is the best way to restrict access between departments within an organization? Should I use Label/Sublabel (e.g. InternalLegal) approach, or utilize DLP somehow for it? What is the recommended way?I have configured “Confidential” label with “assign permission now” and used “All users and groups in your organization” option, and I cannot select this label in Outlook 365 (when I made it a default label, the email was selected, but when changed to another one and then tried to change back to Confidential, it did not work)I have configured “Restricted” label with “Let user assign permission…” and it works fine for documents (I get a pop up windows to provide allowed users). How this works with emails? Are “allowed users” taken directly from email recipients? As I do not get extra pop up window so I believe it works that way?
These are few very basic questions that I was not able to find answer last few days… First two are a general ones, 3 and 4 are ones that I noticed during my testing.
Any advise on this would be great.
Hello experts, I’ve been doing some research and testing recently on Information protection and DLP as I would like to deploy it in our organization soon. I am very new into this and found lots of useful information, but still can’t answer some very basics for this topic. Would be great to get some advise from ppl that has been using it already. Below are few points that I’m a bit confused and trying to find some clarification. We use exchange online and SharePoint as primary way to exchange information with our external partners. We are licensed with M365 E3 + M365 E5 Security I will create 3-5 labels (based on my testing) and would like to have all documents labelled. For that reason, I would like to use a “default” label feature and have data labelled with that label (Internal) accessible only for internal users. Now, I could achieve it with configuring “Access Control” and allow “All users and groups in your organization” option. This is fine however I’ve found MS recommendation that default label should not be encrypting data. How can I then achieve that? I’ve seen advise to remove encryption for that label – but there is no option to remove encryption when configuring “Access Control” for specific users. Or should I just use that label to mark data and do not perform any action? and use DLP to block all emails/documents with Internal label to be shared outside organization?one of the disadvantage I’ve noticed during testing was that “auto-save” for documents is disabled with encrypted label. I’ve found that enabling “co-authoring” on tenant should solve that – so I’ve enabled it and will be testing tomorrow.What is the best way to restrict access between departments within an organization? Should I use Label/Sublabel (e.g. InternalLegal) approach, or utilize DLP somehow for it? What is the recommended way?I have configured “Confidential” label with “assign permission now” and used “All users and groups in your organization” option, and I cannot select this label in Outlook 365 (when I made it a default label, the email was selected, but when changed to another one and then tried to change back to Confidential, it did not work)I have configured “Restricted” label with “Let user assign permission…” and it works fine for documents (I get a pop up windows to provide allowed users). How this works with emails? Are “allowed users” taken directly from email recipients? As I do not get extra pop up window so I believe it works that way? These are few very basic questions that I was not able to find answer last few days… First two are a general ones, 3 and 4 are ones that I noticed during my testing. Any advise on this would be great. Read More