For some time now it has been possible to apply data classification within the Microsoft 365 platform to documents and other types of data that a company has. But what exactly is data classification and why is it so important to apply it! At Blue Identity, we also often receive questions about what impact this has on an organization and how this can best be implemented.

In this blog post we will discuss a basic configuration that can actually be applied within any organization. Of course, data classification or Unified labeling as it is called within the Microsoft 365 purview platform is also a workload that you can make as complex as you want.

What is data classification

Data classification is actually part of a larger whole, namely the BIV classification. According to Wikipedia, a CIA classification is as follows;

A CIA classification or CIA classification is a classification that falls within the
information security is applied, whereby the availability (continuity), integrity (reliability) and confidentiality (exclusivity) of information and systems is indicated. CIA is the acronym for Availability, Integrity, Confidentiality.

In this example, we assume the C is for confidentiality. Based on this data, we will look at which types of data there are in general always are. When we do this, we can actually make the BIV classification a lot easier. Think, for example, of a good spy movie. Documents sometimes appear here with a large red stamp with terms such as Top secret or Classified. These are actually also classification types, only in a non-digital variant.

Now that you know what data classification is, let’s see how we can apply it in today’s world.

Apply data classification

If we look at the ways in which we apply data classification, this can actually be divided into different types of data. As an example, let’s take the following types of data:

Salary slips
Personal data
Customer details
Technical documentation

Of course the question is whether you should put personal data in the Cloud, but that is something for another blog.

When we look at the types of data available at a company, it is actually always possible to apply 4 types of data classifications or labels.

Internal data
Public data
Confidential data internal
Confidential data external

Types of labels

When we talk about labels, there are many types of labels to consider. All these labels can be applied to different types of data within your organization. In this example we use 4 labels to keep it clear and simple. If you want to know more about this, let us know, we will be happy to help you.

Internal data

We always apply the label internal data by default to all data types that are created within the Microsoft 365 cloud. With this we know for sure that data is not just sent without it having the correct classification.

Public data

The label public data is what is applied to eg advertising documents or data that is made publicly available. This label actually has the least weight and therefore also security. But that doesn’t make it any less important. It is important that all data is classified. This is also important for adoption within a company.

Confidential data internal

The label confidential data internal is actually for data that is, for example, customer-oriented. Or documents that are being worked on. This type of data is not intended for public distribution and may contain sensitive data that could harm the company or the customer.

Confidential data external

This last label is something we use within Blue Identity, for example, when we have performed an APK security scan. These types of security scans result in documents containing sensitive data. Ultimately, you want to share these kinds of documents with your customers. By means of this label we know for sure that this is done in the right way.

Implementation

Now that we have defined the labels let’s move on to the implementation

*note: keep in mind that this is a base. It is quite possible that this is not appropriate for your organization. Always be aware of the possible impact on the organization that this may cause.

Go to the Information protection section within https://compliance.microsoft.com
Create the labels as we defined earlier.

Create a policy with which you make the labels available within your organization. To ensure that you do not immediately affect the entire organization, it is important that you first target a limited group of users for testing.

The policy will eventually look like the image below.

Actually, this is the implementation of Unified labeling in the most basic way. Our experience shows that