I’ve written before about labels in Office 365. In this post, first of three in a series, I’m going to go a bit deeper into how the two types of labels,
Security and Compliance Sensitivity and Retention, have developed over time, and where Microsoft is headed next.
As I’ve mentioned before, Sensitivity and Retention are two different things, and Office 365’s iteration of these labels reflects that. Microsoft has a dream, however, of placing these two types of labels in one place, and for a while now has positioned the Security & Compliance Center as the one-stop administrative shop for both Security & Compliance – it’s right there on the tin.
UPDATE: This will change, following announcements from Ignite, but the distinction between labels still applies.
However, as you’ll see if you go to that URL, Security and Compliance Center is going away in favor of two separate admin centers, one for Security, and one for Compliance. On top of that, in nearly the same breath, Microsoft has announced Unified Labeling, supported in Microsoft Information Protection (MIP). I’ll write a separate post about Unified Labeling and MIP.
Retention Labels are only available to workspaces in Office 365, while Sensitivity Labels are configurable and available in both Microsoft Information Protection and Office 365 through Unified Labeling.
For now, let’s go back and talk about Retention Labels, which are part of the Compliance story.
A Brief History of Compliance
To understand the problem that Microsoft is trying to solve, a quick review of the history of Retention labels is in order.
Retention Labels started out as DLP (Data Loss Prevention) labels. DLP labels only applied to content in Office 365, and were aimed at addressing the problem of data loss within Office 365, generally in the event of employee termination or malfeasance, and in a limited way filling in gaps that have since been supported by Intune and Device Management. An easy example would be a corporation that is required by law to retain copies of all email by all employees for a period of seven years, or preventing someone from viewing content on an unmanaged device.
Without DLP, when an employee left, retention was difficult to manage. There was also the issue of employees deleting emails just to keep a clean mailbox. The options were A) keep that user licensed after they left, B) put that mailbox on Legal Hold, or 3) export that content from Office 365. None of these were good options, costing either time or effort, or making discovery difficult, and they didn’t really address employee malfeasance very well (“I’ll delete all my emails! That’ll show ’em!”). Hence, DLP policies.
Fast forward a couple of years. Regulatory complexity led to the development of a new role, that of a “records manager” or “compliance officer”. This would be someone, or a department, who understands the various regulatory and business requirements an organization might have, not only retaining content, but disposing of content in a defensible way. Some examples:
- A publicly-traded corporation might need to retain financial records for a period of seven years, after which, it can be deleted.
- A privately-held company may decide to retain employee records for as long as the employee works for the company, and one full year after they leave, but no more.
- Annual audits are conducted of how where certain types of content are stored and how it is disposed of, with an audit trail of the process available.
For now, Retention Labels are still a class of object that only lives in Office 365. They’ve been functionally split off from DLP, and live alongside DLP, Supervision, and eDiscovery in the new Compliance admin center.
Compliance Admin Center
The new Compliance Admin Center is the one-stop shop for all things related to compliance in Office 365. To name a few:
- Create Alerts and View Reports.
- Create and Manage labels for Sensitivity & Retention.
- Create and Manage label policies for DLP and Retention.
- Conduct eDiscovery and Advanced eDiscovery cases.
- Create and Manage Supervision policies.
- Conduct Data Investigations.
- Conduct Data Subject Requests (aka “right to be forgotten” requests).
Whew. That’s a lot. I could write separate posts one each one of those topics – and in some cases I have – so for today’s purposes, let’s keep focused on Retention labels and policies.
Retention Labels are built around the idea of a file plan, which is a records-management term that summarizes not only what to do with labeled material, but also the business or regulatory reason why.
When you create a label, you can give it a reference ID, and then add more information. Importantly, you can reference the authority and regulation for the label. This can be important in defending your disposition process, for example during an audit of why customer medical records were deleted.
Labels also define how the content is retained – remember, these are retention labels. Based on the reason the label exists, you can define not only how long the content must be retained, but how it is disposed of once that period has been reached. Essentially: automatically delete, have a review process before delete, or do nothing. You can also define whether or not labeled content gets treated as a record, which makes it read-only except for the metadata.
Sidebar: If you’re a SharePoint admin, all this talk about labels and disposition rules might sound like Information Architecture (IA) discussions. In my opinion, Office 365 labels should be part of any Office 365 IA efforts.
Labels can be either published to specific workspaces (SharePoint, Exchange, OneDrive, Groups*) for users to apply manually, or set to automatically apply based on either keywords you define, or sensitive info types defined elsewhere in Compliance.
*Bizarrely, the “select all” option explicitly states Groups, but Groups are not available if you decide to manually select which workspaces to publish to.
It’s important to understand the relationship between labels and label policies. Labels define the file plan, but label policies define how and where labels are applied. The same label might be published multiple times to different workspaces, and under different circumstances each time.
For example, you might have a Retention Label called “customer financials” that is automatically applied anytime, anywhere, to documents with bank routing numbers, tax ID numbers, and social security numbers, but you might also publish it as a label for users to apply manually in specific SharePoint Online sites where customer financial data might be kept, which doesn’t match those criteria.
Microsoft continues to develop their labeling story to keep up with market demands. In so doing, they’ve recognized that the activities around Security and Retention merit their own administrative centers, while at the same time making the decision to place the mechanism for labeling squarely in Azure rather than having one set of labels in Office 365 and another in Azure.
To make things confusing, however, if you go to the Security and Compliance admin center, there’s a not telling you about the new separate admin centers for Compliance and Security, but if you go to those, some functions will take you right back to the Security and Compliance Center.