As we talk with a broad range of customers in the current environment, we hear some consistent challenges businesses are facing. With so many remote workers, people are creating, sharing, and storing data in new ways, which fosters productivity, but can also introduce new risks. A recent Microsoft poll of Chief Information Security Officers (CISOs) revealed that providing secure remote access to resources, apps, and data is their top concern.
To help companies better protect their data, mitigate risk, and address compliance regulations, especially in this time of flexible work, we are announcing several new capabilities across Microsoft Compliance, including:
- General availability of Microsoft Compliance Manager to address industry regulations and custom requirements.
- New connectors and APIs to help you to extend Microsoft compliance capabilities to third-party apps.
- Ability to protect native and third-party cloud apps through unified data loss prevention (DLP), now extended to Microsoft Cloud App Security (MCAS) in public preview.
- Expanded security and compliance capabilities built directly into Microsoft Teams.
Read on to learn more about these and additional features beginning to roll out today in Microsoft 365 Compliance. You can also check out what Jeff Teper, Corporate Vice President for Microsoft 365, has to say about Microsoft Compliance.
Addressing the complexity of data regulations with Microsoft Compliance Manager
In addition to the talent shortage and complexity of compliance management, customers also face the need to comply with an increased volume and frequency of regulations, with hundreds of updates a day globally to thousands of industry and regional regulations. Additionally, the complexity of regulations makes it challenging for organizations to know specific actions to take and their impact.
Compliance Manager offers a vast library of assessments for expanded regulatory coverage, built-in automation to detect tenant settings, and step-by-step guidance to help you manage risk. Compliance Manager translates complex regulatory requirements to specific technical controls, and through compliance score, provides a quantifiable measure of risk assessment. Generally available today, Compliance Manager brings together the existing Compliance Manager and Compliance Score solutions in the Microsoft 365 compliance center.
Now, with more than 150 out-of-the-box and scalable assessments in Compliance Manager, you can address industry- and region-specific requirements, while also meeting multiple requirements through a single action.
The flexibility of custom assessments also allows you to extend compliance and risk management beyond Microsoft 365 to meet your specific business needs. For example, if you are currently tracking compliance of your SAP data in an Excel file, you can bring that into Compliance Manager.
Extending compliance capabilities to manage data risk beyond Microsoft 365
To provide greater visibility into your data, wherever it lives, we are making new connectors available that can pull data from other apps into Microsoft Compliance (including Microsoft Information Protection, Insider Risk Management, Communication Compliance, and eDiscovery) to help you to reason over, protect, and govern that data. These new connectors – available in partnership with Globanet and Telemessage – include SMS/text connectors for various telecom operators (e.g., AT&T, Verizon, T-Mobile, etc.), WhatsApp, Zoom, and Slack.
A key ask from our partners and customers is the ability to access Microsoft Compliance solutions and integrate them with existing applications and services that are part of broader compliance, security, and operations (SecOps) ecosystems, including Symantec, McAfee, and Relativity.
To help, we are announcing new APIs, which are part of the broader Microsoft Graph ecosystem:
- Teams Data Loss Prevention (DLP) API: Allows third-party products to integrate and enable data loss prevention capabilities for Microsoft Teams.
- eDiscovery API: Allows the automation of Advanced eDiscovery processes, including case creation and the entire legal hold notification workflow to communicate with custodians involved in a case.
- Teams Export API: Allows the export of Teams Messages (1:1 and group chat) along with attachments (file links and sticker), emojis, GIFs, and user @Mentions. This API supports polling daily Teams messages and allows archiving of deleted messages up to 30 days.
Figure 1: Extending compliance beyond Microsoft 365 — We have partnered with Globanet and Telemessage to deliver ready-to-use connectors. All Microsoft and third-party built connectors are now available in a single catalog.
You can learn more in the Tech Community blog.
Extending unified data loss prevention to Microsoft Cloud App Security (MCAS)
Having the right data protection and governance approach is critical to not only addressing regulatory compliance but also to mitigating risks around data leakage.
Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. In July, we announced the public preview of Microsoft Endpoint Data Loss Prevention (DLP), which builds on the labeling and classification in Microsoft Information Protection. Endpoint DLP extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on devices by restricting what data apps can access. Endpoint DLP is also natively integrated with the new Microsoft Edge browser, providing additional policy options to restrict the flow of data when accessing web sites.
Today we announce the extension of Microsoft data loss prevention solutions to Microsoft Cloud App Security. This new capability extends the integration for DLP policy-based content inspection across connected applications such as Dropbox, Box, Google Drive, Webex, One Drive, SharePoint, and others. This extension of Microsoft data loss prevention solutions to MCAS helps users remain continuously compliant when using popular native and third-party cloud apps and helps to ensure sensitive content is not accidentally or inappropriately shared. MCAS uses the same policy framework and more than 150 sensitive information types that is common across all Microsoft data loss prevention solutions, to provide a familiar, consistent, and seamless experience. This will be rolling out in public preview in the coming weeks.
You can learn more about our unified approach to data loss prevention on Tech Community.
Additional security and compliance features, including Advanced eDiscovery, being added to Microsoft Teams
As Microsoft Teams usage has grown with the shift to remote work, organizations are looking for seamless integration in order to keep their data and employees secure and compliant.
With the volume of business conversations happening now in Microsoft Teams, we are also adding additional security and compliance features, including:
- Advanced eDiscovery now supports live documents and links shared in Microsoft Teams. Advanced eDiscovery automatically collects documents from a storage location, such as SharePoint or OneDrive, to pull the content into an eDiscovery case. The attachments are collected, reviewed, and exported along with the Teams conversations so customers don’t need to manually find and collect the documents one by one.
- Auto-apply retention policies for Microsoft Teams meeting recording allow you to retain and delete recordings with in-place governance, which means the retention policies apply wherever the recordings are saved without the need to export elsewhere. When the rollout for this begins in October, we will provide guidance on how you can leverage Keyword Query Languages to create retention policies for Teams meeting recordings.
- We now include Teams-specific actions in Compliance Manager, which provide guidance around improvement and implementation of actions you can take to help to align with protection regulations and standards.
- We are also announcing Customer Key support for Teams. Microsoft helps keep Teams data safe by encrypting it while at rest in Microsoft datacenters. Now we are extending this capability to enable customers to add a layer of encryption using their own keys for Teams, similar to Exchange Online, SharePoint Online, and OneDrive.
- Insider Risk Management now offers native integration with Microsoft Teams to securely coordinate, collaborate, and communicate on a case with relevant stakeholders in the organization. When an Insider Risk management case is created, a private Microsoft Teams team will also be created and bound to the case for its duration. This Microsoft Teams team will, by default, include insider risk management analysts and investigators, and additional contributors such as HR and Legal, can be added as appropriate. With Teams integration, stakeholders can:
- Use channel conversations to coordinate and track review/response activities.
- Share, store, and review relevant files and associate evidence.
Additional new capabilities coming to Microsoft Compliance
While I’ve discussed some of the biggest areas of investment for us in Microsoft Compliance, there are many additional new capabilities we’re excited to bring to you today:
- Microsoft Information Protection now includes more than 150 sensitive data types, improvements to Exact Data Match, the general availability of automatic labeling in Office apps, and more.
- Microsoft Information Governance and Records Management include new in-place retention and deletion policies for Yammer messages (rolling out now in public preview), as well as integration with the new SharePoint Syntex.
- Insider Risk Management now integrates with Power Automate, provides a richer investigation experience, and includes expanded signal visibility to badging systems for building security.
- Communication Compliance now provides enhanced visibility across a variety of communication channels and integration with Power Automate.
- Advanced eDiscovery now has improved workflows and support for linked content in emails or chat messages.
- Advanced Audit now includes two new audit events to help with forensic investigations and the ability to add 10-year audit log retention.
Remote and hybrid work scenarios have demonstrated that there has never been a more important time to invest in security and compliance. Get started today with Microsoft 365. To learn more about Microsoft Compliance and gain more technical training, visit the Virtual Hub today.
To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.