Organizations today face increasing demands in the areas of information security and data protection. The NIS2 directive is coming into force at the EU level, and financial sector operators will be subject to DORA from the beginning of next year. Additionally, plans to implement Copilot may cause concern in organizations about whether their data is adequately protected and restricted according to needs.
Microsoft Purview offers versatile tools for data protection and monitoring, helping organizations meet data protection requirements. The utilization of Purview services has often received less attention in organizations. It should be noted that many of its functionalities require a higher level of licensing, which partly explains this. It’s also worth noting that the product is designed to meet U.S. data protection requirements, so care must be taken when using some features here in Finland. However, restrictions can be clearly implemented.
What is Microsoft Purview and how can it be utilized?
Microsoft Purview is a data management service that helps organizations understand, classify, protect, and manage their data from various sources. In summary, Purview enables the management of the entire data lifecycle, data protection, and compliance with data governance rules and regulations. Purview consists of several different functional areas compiled into a single management portal view. Access to different areas depends on the available license levels.
In the following paragraphs, I have compiled some different features of the service from the M365 perspective, which organizations typically start with. Additionally, I have tried to describe through use cases how they can be utilized. Of course, it should be noted that it’s not feasible to compile all the features offered by the Purview service into a single blog post.
Compliance Management and Monitoring
Purview’s Compliance Manager tool allows you to mirror your own actions against various requirements such as GDPR and NIS2. The service offers different assessment criteria and scores risk points, bringing along suggestions for reducing them. The service’s scorecard allows you to track how the organization responds to different assessment criteria. For each assessment criterion, there are matters directed at the organization according to the shared responsibility model, as well as matters directed at Microsoft as the cloud service provider. The service can be used, for example, for audits and to develop one’s own actions to meet the demands placed on the organization. For example, at Above IT, we utilize the various assessment criteria offered by the service to monitor our own actions against the requirements placed on us.
Data Classification Helps with Data Management and Lifecycle
Purview’s various features can identify and classify data into different categories based on purpose and sensitivity. Different protection levels and retention policies can be defined for classifications. For example, documents intended for internal use within the organization can be protected so that no outsider can open them in situations where the document has leaked unintentionally or intentionally to an outside party. Restrictions can also be made within the organization. For example, HR’s sensitive data-containing materials are protected among HR personnel, and no one outside HR can access them. Protection can also be implemented for Teams teams, SharePoint sites, and M365 groups. For example, we have made classifications for Teams teams so that it’s not possible to invite external guests or share material from them to outsiders for teams with our internal classification.
Data Loss Prevention Functionalities
As a third point, I would highlight Data Loss Prevention (DLP) functionalities, which can prevent the leakage or misuse of sensitive or confidential information. DLP offers a set of tools and policies based on data classification and monitoring. For example, DLP can detect if personal information, such as social security numbers, is being sent unencrypted via email or shared through other means from the M365 service to outsiders. DLP functionalities can also prevent such actions, or for example, automatically encrypt the message on behalf of the user when sending an email.
Summary
Purview is a very versatile service to help us protect against threats and comply with data requirements. It provides visibility into data, helps investigate potential security and privacy incidents, and offers the possibility to implement various protection measures based on different criteria.
This writing is just a small scratch on the surface of Purview’s features. I definitely recommend exploring and utilizing it, especially when considering help for organizational requirements or Copilot implementation. Regarding licensing, it’s worth mentioning that the features mentioned in this writing are largely available with the M365 Business Premium license. If this topic raised thoughts and you possibly need sparring on the matter, please contact us and let’s talk more.
Read also: Microsoft 365 Purview: Data Classification and Lifecycle Management