In January, the White House released Memo M-22-09 that mandated, "Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information." Simultaneously, there has been a 44% increase in workers' use of collaboration tools since 2019. Listen to this podcast from AvePoint and Carahsoft to learn how Microsoft's sensitivity labels can help your agencies on the path to complying with M-22-09. We will outline key insights into how AvePoint enhances Microsoft's native security capabilities, including: • The function of Microsoft sensitivity labels • How to put sensitivity label decisions into the hands of workspace owners (i.e., Teams, Groups, sites) • Actionable reporting based on Microsoft's sensitive information types and exposure
Meeting Federal Zero Trust Standard with Microsoft Sensitivity Labels
Corey Baumgartner 00:13
On behalf of AvePoint and Carahsoft, we would like to welcome you to today's podcast focused around meeting federal Zero Trust standards with Microsoft sensitivity labels. Were Antoine Snow public sector solutions engineering manager at AvePoint will outline the role of sensitivity labels and complying with White House memo M 2209. Moving the US government toward Zero Trust principles.
Antoine Snow 00:37
Alright, so let's dig into this. Zero Trust Zero Trust is an interesting conversation. Right? Everyone has been hearing about it ever since the the mandate on 2209 mandate. And as such, there's a lot of questions about, you know, the principles about the architecture and, and so forth. So just to give a quick, high level in case, there's anyone there who's unaware, right? Zero Trust is effectively an evolving set of requirements. That is meant to boost cybersecurity and cyber defense, right. threat mitigation. So, there are a couple of key core principles to go over there just to make sure that we're all on the same page. So, there's assuming breach, which is trying to minimize the damage of a potential breach itself. There's explicit verification, which is verification and validation, authentication, authorization, right, a lot of the identity pieces on different data points, right. And then there's going to be the principle of least privilege, right? So, this is trying to minimize access, right? By giving just enough permissions, or just enough credentials to be able to do what it is that is necessary.
Antoine Snow 02:00
So that's, that's kind of the general gist of it from a principal perspective. Now, as far as the pillars of Zero Trust, and how that fits in.
Antoine Snow 02:10
The pillars themselves are going to extend across multiple different areas, right, when you start talking about information technology, and cybersecurity. So, you have your endpoint management, which is ever so much more important. These days, as more and more organizations are allowing, you know, bring your own device or are providing devices themselves, but need to make sure that there's proper inventory, and authentication, and just security that's applied to those endpoints themselves. You have the network, which has always been a focal point of security conversations just in general, right? You know, government or not,
Antoine Snow 02:51
the application workloads themselves, right? What's actually happening with the work with the applications, how they're being developed, how they're being delivered. And then of course, trickling down into the data in the user aspects. Now, this conversation today around sensitivity labels, and in even some of the applicant components, you'll see is going to stay in a good bit around the data in the US, right? So, it's going to be if I can get my handy dandy laser pointer here, right, we'll be focused a lot in this area. And that's just going to be based off of the nature of how the technology works. All right, just in general. Now, when we're talking about the data in the user, there's going to be quite a few different components there, right? So, you have your DLP, you have your classification, being able to leverage manage metadata for the purposes of reporting right there. However, that can help you with reporting, encryption, you know, there's a big charge towards AI and machine learning. So, we'll be talking about a lot of these different components today, and how those are applicable within the sensitivity label, you know, ecosystem or a purview, right within Microsoft. Now, this is going to lead me to a question and this is a, this is going to be a question that, you know, I want you all to kind of think about as it pertains to your specific environments, right? So how do you incorporate the Zero Trust principles? Right, the ones that we went over in the beginning, the ones that are, are fairly well known in a free and open sharing system. Okay, so I say free and open, not that you can't create permissions, right? Not that you can't lock things down. But for the most part, there's a lot of freedom of collaboration that is available to you in and 365 on purpose, right. And this is not, you know, you know, to to disrupt Zero Trust or what it's built for, but it's more so because As of the nature of collaboration today, okay?
Antoine Snow 05:04
So, when you when you talk about the current constructs, and we'll also dive into some of this as well as we go along the presentation, but you can think about from an ownership perspective, right? When you think about the nature of like a team, right Microsoft Teams, and the, the the power that a team's owner has, right, the power the site collection administrator might have, right? There's a lot of privilege here. That doesn't necessarily, you know, mess with that principle of least privilege. So how do we, how do we get around that? Right? How do we how do we shore that up? Right? This concept of, of anyone can be an owner, but even sharing concentrated data sharing, right, it's able to be had at just the click of a button, and shipping is, right. So, what we're going to be talking about today is how you can right size, some of that control based on risk that you can identify or risk that's been determined, potentially as content has been created, or Workspaces are being provisioned. Okay? So, this is, this is really where we're going. So, we're going to be focusing on two key areas, right, this is going to be the data component, the actual content itself. This is where we're going to spend a lot of our time talking about and discussing sensitivity labels, discussing how this can help, not just from a classification perspective, but even from a policy enforcement perspective, right, trying to control some of that risk for the most sensitive concepts. The other half of this so the other side of this, when we're talking about right sizing, this control is going to be an approach that we speak about very often here at AF point, especially around the Zero Trust architecture. And this is about how you can right size based off of the workspaces themselves as well. Okay, so, just want to make sure that we kind of set the stage for where we're going for the rest of this webinar. And I implore you, if you have any questions, go ahead and put them in the chat, I will do my best to respond. Alright. So, let's move forward. And let's talk about how to secure content with MIP. And, you know, purview right, as it's called now, sensitivity labels. So, just a little bit of a, a walk through, right, just just a little bit of a history. So, the concept behind the sensitivity labels, or how it came about, you know, kind of all started from those of you who, you know, have have managed content on premise are very familiar with the Active Directory RMS, right, the rights management services. And so that then evolved itself into what you have as the Azure Rights Management Service. So, it's just a natural evolution, as things started moving from, you know, on premise Active Directory, and so forth into the cloud. Now, with the acquisition of Secure Islands, what this did was provide Microsoft with a lot of powerful data classification protection and, and DLP technologies that was then able to be iterated on and effectively start becoming more around the AIP, the Azure Information Protection suite. Okay. Azure Information Protection also allows and still does, if you're leveraging the scanning engine, the labeling and classification of even unstructured content within file shares. Alright, so it does still extend even with the change to MIP and purview. Okay. And then from there, you also have your unified labeling, right? So, this is where we previously saw the MIP moniker, right? Microsoft information protection. Also, alongside Am I G, which is going to be Microsoft information governance, right, a lot of the retention label pieces. We're not going to get into that today, but just a little bit of a background. So, talking about this a little bit more sensitivity labels, right? What are they? What is it? Right? So, sensitivity labels is effectively metadata that's written into the document files, but these this metadata is actually going to have an attachment in such that it's able to do things like encrypt the files, it can control things using, of course, rights management services, as well. You know, can you copy Can you print, it also is going to persist the file across other ecosystems, right. So, because it's an Office file, even if it's sent an email, even if it's, you know, us in in, in in something like a Dropbox or something of that nature.
Antoine Snow 09:57
It's persisting with that concept with that. to document those Office files across its its collaboration cycle. And that's what makes sensitivity labels so powerful, right. So, it really does help prevent, you know, oversharing, or at least securing your content, if you have to share it, by ensuring that the right policies are going to live with that content as it goes along. Right. Now, do note that some of the labels are able to be applied to a web browser, but but some are applied to the desktop client. Right. And remember, I also mentioned this unified scanner. So, there's, there's a little bit of nuance when it comes to how you're interacting with it. But ultimately, the idea is that whether you're creating a document through and through, you know, 365, SharePoint Online teams, right, or whether you are creating it to the Office client on prem, you know, on your endpoint, you're still going to be able to interact and leverage the labeling functionality. Right. So, let's talk about creating the sensitivity labels and purview. All right. So, for those of you who are not familiar, or who have not, you know, been able to have the pleasure of exploring the former Security Compliance Center, now the purview center, you are able to get into the information protection and actually create the labels from here, right. Now, you can create a label for internal information, you can do one for ITAR export control concept. Depending on what you create as your label, or what the purpose of the label is for you can create a set of actions or restrictions or even permissions that are going to be applied to this label. So, walking through this, what does this look like? So, number one, you're creating a name and a display name for your users, as well as the description for the label itself. Right. From there, you're going to define a scope for this label. So, we'll actually talk about some of the scope on another slide as well. But right, this label can be applied to files and emails, which as you can see there can apply config, see me encryption, right. So, you can do some content markings, you can do watermarking. Right, you can set auto labeling conditions as well. So, a lot of power when you start talking about that. But you can also apply the labels to groups and sites, right, now the actions are going to be a little bit different. Okay, but it is possible. And then of course, you can also apply it to Azure purview assets, actually, more recently, you can apply it to Power BI content as well. So, I'm not sure if any of you all have been within the purview center lately, but Power BI content has actually been added as another location that you can apply labels to. So, when you are choosing the protection for the files, as you're applying this to your files, and your emails, you have the ability to encrypt them right and control who has actually access to it based off of it so that encryption is actually still going to follow once again, this label is following and persistent. You can also mark the content. So, if you needed to create a custom header or footer, right, given its, let's say, sensitivity, right, the nature of its sensitivity, that's a very common use case for that. Or if you want to watermark it for the same purposes, right, you can actually do that with the labels themselves. Now, as we go further into this encryption, take a look here. Now what you can do this is actually really interesting is that you can assign the permissions in two different ways. Right now, the first way, is what you see here on the screen, which is assigning the permissions Now what this does, is allows the administrators right, the people who are managing this from the compliance center to be able to
Antoine Snow 14:12
dictate who can access that type of content. So, if we think about some of the more highly restrictive content, right, the things that are going to be needed to know, you know, going back to your your ITAR, your export control scenario, you could apply permissions such that there is a group and this group of users are going to be US persons only. And what you then do is say based off of this, this label, alright, I'm going to assign the permissions and make sure that only members that are following this ad group or in this group, are going to be able to access this content as it's marked. That is an example of how you can leverage this internal can also make sure that you know no external entities are going to be able to access this content. There's public labels that you can do. So that's that's one way of handling it. And that's a very common scenario. But again, it's going to be around specific kind of content areas. The second way to assign these permissions, and you might notice it says or let users decide, okay, so there is a user, a user driven process to this as well, or it can be, what this allows you to do is say, I'm going to publish this label to these users, maybe they're going to be leveraging it, you know, through desktop, once again, I said, you can create content through Office on your endpoint. And then you can associate a label with it at that point in time. And that's going to be kind of the other option there. Right. So really interesting how this can go. It's, it's, you know, on one hand, you're leveraging your users and depending on your users to be able to, you know, classify content appropriately. But at some point in time, they are also going to know best the type of content they're working on. Right? So, the administrator method works for those those scenarios that I provided. We talk about content marketing, this is your ability, once again, to add a watermark make, you know, and as you can see, in this example, restricted is going to be the watermark that's provided, you also have a footer, right, that says highly confidential. This is just some examples of how this can be leveraged. Right, so let's get into auto labeling a little bit. So, part of the Zero Trust architecture, or should I say that part of the Zero Trust pillars is machine learning and AI? Right? So, there's a couple of different ways we can do this. So, you have auto labeling based off of sensitive information types you see here, and this is the example and we'll talk about this. And the other option is by trainable classifiers. And I actually have a slide on that specifically. So sensitive information type sensitive information types are going to be the kind of baseline idea of Alright, well, what can classifier What does classifies sensitive information. So, let's talk about driver's licenses, we see this example here, as we put up the different sensitive information types of bank account numbers, driver's license, so what this is doing is it's following a particular pattern, right? Social Security number, for instance, social security numbers, three, hyphen, or slash two hyphens slash four, right? A driver's license number, depending on the state can actually also be identified, you know, pretty easily. So, you know, if I think about the state of Virginia, you have, you know, a letter, two numbers hyphen, two numbers, hyphen, four numbers, right? These are Pat, this is pattern matching, right, and you can do this kind of more baseline. And that's the idea behind the system information type. So, it's able to identify these these patterns, these things and say, Alright, I'm going to attribute it. And based off this sensitive information type, I find, I'm now going to apply sensitivity label. Okay. And that's kind of the idea there, trainable classifiers we'll talk about in a minute, this is actually going to be more along the machine learning aspect of things, as we start talking about how this fits in with the Zero Trust architecture, as well as how it fits into even what your strategy might be within your organization itself.
Antoine Snow 18:38
Alright, so once you're done here, you're able to create the label. And from there, you can also publish the label afterwards. Alright, so you review the settings, make the changes and finish now, trainable classifiers. So, this is a just an image from the link that you see down below. And it goes into a sample timeline of going through trainable classifiers. So, what is this? So what this is doing is saying that if your organization has, let's say, employee ID numbers, since unique case, file numbers that's unique, or other types of patterns that might occur multiple times, and if, let's say three different things, I think one of the examples is for for Coca Cola or something that needs you, and it's, you know, you have you have what does it brown, you know, number whatever the case is, plus water plus, you know, another ingredient found within the same document. That's going to be the secret recipe, right? And we're going to train the system in order to find these things. And, and if it matches, then we'll go ahead and leverage that. So, the idea is that you're going to upload seed content So what it's called it's called seated concept. And the idea is that it is then going to call an index that and understand what is common across that this is supposed to be all content that actually matches your criteria, whatever that might be, right. So, I don't want to make it so simple as just a string, it could actually be more complex than that. From there, once it goes through, and it processes the seeded content, you then have to sample it right, you have to test it. So, the idea is that you create 200, test samples, some of them are going to be positive, and some of them are going to be negative. The idea is that you go through any review that you upload that you haven't go through, it tells you what's positive, what's negative, you mark it as a as a false positive, you mark, you know, your training, right, that's the whole idea behind the channel, classifieds go through you train it. And these trainable classifiers can be used for both sensitivity labels and retention labels, right? How you apply it. Now, these are just sample examples. And in truth, there's, it's very likely that you need more test samples, in order to ensure that you are going to be more accurate with how content is going to be assigned, just to be very transparent here, right, but this is machine learning, right? It has to learn. And that's the whole idea behind this. And so when you're going into this, and you're thinking about how to incorporate, you know, machine learning and AI into your Zero Trust mechanism, or even just your general information governance strategy, keep in mind the work that goes into this, when you're going through in your training, you know, the system, right in order to match the patterns that you need for it. So, we'll talk about that. Now, luckily, with the Zero Trust architecture, you can build up the idea behind the pillars is that you build yourself up through them, you don't have to necessarily meet everything at one time, but it is a framework. And we'll talk more about that. So, sensitivity labels for groups, versus me for teams, groups and sites. So, I did mention before that this is going to be different, right? Sensitivity labels for groups, teams and sites are going to be different in the sense that, number one, when you apply a sensitivity label to a team, group or site, it does not automatically trickle down to the sub entities, right. So, if you apply it to a site collection, it's not necessarily applying to the sub sites. If you have a nested architecture, you don't have a necessary architecture that's against best practice. But I guess it's also not going to trickle down to the files, right. So as mentioned, sensitivity labels applied to content, as different parameters has different actions than sets three labels applied to an object. So, an example is that if you were to create a six to be label on a team, right, you can determine, right? And this actually used to be a very common question that our clients ask, I want to make all of my teams private, well, this is perfect. This is the perfect way, right? Because there's a lot of security concerns around public teams, right? It has that everyone except external users folder says contents uploaded into there, they're available across everyone, right? It's a lot of risk.
Antoine Snow 23:38
So, you can use sensitivity labels in this way, right to ensure and enforce the privacy of the workspace itself. So that's, that's an example of how this can be used. So, what I don't want you to confuse this with, though, specifically is the team's classification. Right? So, teams classification used to be a thing that it was around, right. And the idea is that the team's classification was the text string to help you identify the nature of a team, but there was no policy associated with it, right? So, you could have an internal classifier for a team, but it really, there was no bearing on it. So that's how sensitivity labels kind of moves that needle forward. Because it actually gives you a policy that needs to be adhere to based off of that. Let's talk about sensitivity labels and practice. All right, so where sensitivity labels thrive. All right. So, protection is going to be applied to the content regardless of how it traverses across the environment. Alright, so different platforms. And like I mentioned before, including Power BI, that's fantastic. Right, teams, groups and sites can have policy enforcement based off of a sensitivity labels. Well, that is also phenomenal. Once again, very common use case across multiple industries and multiple government entities is private teams. You catch that you nip that in the bud right there. Sensitivity labels are also the best option, in my opinion, right for securing highly regulated content. So, let's go back to, you know, let's think about different types of CUI data. Let's think about, you know, again, the Export Control scenario that I mentioned before, let's think about any of you know, let's think about FTI data, let's think about any of those, you know, things that are going to be regulated, it is fantastic for that, because you can apply it based off of the sensitive information type. Or as the next bullet states, you can leverage trainable classifiers for additional automation, right for the application of the labels themselves. So, this is really where sensitivity labels truly thrive. Now, a little bit about why there's another route that we're going to go down, and we're going to talk through in the next part of this presentation. All right. So, collaboration, as it stands today, doesn't necessarily fit the nature of, of the auto labeling, or the labeling that is done natively. So, let's talk about what that means. So to apply sensitivity label across multiple workspaces, a workspace being defined as a team, a group or a site, or, you know, something like a Yammer community, if you guys were using that, things like that, right, is the fact that if you want to do it in bulk, you really have to do the auto, the auto labeling, or the auto labeling doesn't have that type of, of capability, right, you have to actually add multiple site collection URLs or multiple OneDrive URLs, right. You know, deploying a label to a group of users is fine, but a user, right, the sock again, but the nature collaboration or user to be working on a project that doesn't necessarily fit, you know, the mold of what is sent to him or her, right? That individual could be doing cross departmental cross component work. And as such, another sensitivity label that might not be deployed to them may be better, right? So that's just an example. Or if you just want to do a bulk label application to all finance and all, you know, personnel management and all, you know, you know, a YG, or something of that nature, that's also not exactly easy, right. So it doesn't fit the Agile nature of collaboration itself. Labels applied to the workspace, once again, does not apply to the content automatically. So that means you have to have the labels that are deployed to the workspaces. And you have to have labels that are gonna be deployed to the content, right? Because they serve two different purposes in the overarching information governance process, right? So let's kind of keep that in mind as well.
Antoine Snow 28:32
user base decisions. So, this is what trips up, I think, quite a few of my clients if I have to think about that. Right. So, I mentioned earlier on, when you deploy sensitivity labeling, you're setting permissions around, it's either done by the admin, you guys can actually see this finger here. Or it's done by the user themselves. Doing it by the admin has its uses, but it's not going to fit the bill for a large Senate or even a small Senate. Right, given the nature collaborate, it's just not going to fit right the the admin cannot. And when I say the admin are talking about the people who have access to purview, who have those those rights, you know, who are sensitivity, you know, information protection admins and so forth. They cannot necessarily define and decide who's going to have access to all that content, other than, again, US persons only, maybe Capstone users, or executives, right, so they can determine that. But when we get more granular, there's a divide. Okay. Let's talk about trainable. classifiers so trainable classifiers being the machine learning and being the AI approach is still a tedious process. Right? And again, that is why it's fantastic for the most highly regulated content, or for the most Some unique content in and of itself. But I have clients that believe that this is kind of the way forward. And I'd have to say that general classifiers, for all of your content for everything that you do is is is probably not going to be the feasible approach. Okay. On top of that, there is the need for the AIP unified labeling scanner, so assist with some of that, especially for non-office files. But then that sensitivity label doesn't necessarily traverse for non-office files into Mt. 65, as well, right, because they don't really showcase well within SharePoint Online. So, kind of keep that in mind as well. So, we're talking about Office files, we're talking about PDFs, even images for a lot of cases aren't going to be subject to this. And we know that images can also in themselves, be sensitive. So, I think I beat the slide over the head, let's let's kind of move on and talk a little bit about that teamwork approach. Right. So, we've talked about teamwork, but ultimately, the team you work with aren't necessarily always going to be within your department. These are kind of basic, you know, kind of Microsoft figureheads. But you know, you can imagine the various different components or departments within your organization. And you know, that there's a lot of cross communication. And it's not always through email, right. They can be in a number of different ways. They could be file sharing, right directly through OneDrive, they could be emails, right, which is, which is, as we know, a very long-standing approach. But then there's meetings and events, there's tasks, right, we talk about the advent of teams and planner, chats and conversations. So ultimately, the team you work with is not necessarily always your team. And that is why labels that are only applied to specific users based off of their department or another attribute doesn't necessarily always work. But then there's also these things such as chats, conversations, and tasks and meetings, that also kind of fall outside of what sensitivity labels are really kind of doing for you, right? Because this is beyond files. So, let's just kind of keep that in mind as we're as we're going here. Alright. So, let's take a look again, at this Zero Trust that the Zero Trust pillars, but let's actually take another look here, and look at this additional pillar of workspace control. Okay.
Antoine Snow 32:44
workspace control, and this is all a maturity model, by the way, so it's all about kind of working your way up, but the workspace element is going to traverse some of the data elements as well as the user elements, right? Because if we think about it, the workspace itself right, that team team may be an Azure active directory object. But it's also it also comprises so many different systems and services. Planners here SharePoint there, right? There's a little bit of exchange components, some legacy Skype, because we have our chats, right, we have, you know, maybe workspaces and all these other different hodgepodge of elements, right? It's not even talking about anything that you might, you know, any tabs and whatever the case is, right? going on a tangent here, but there's a lot to it. There's a lot to it. So, when we look at the workspace element, we start looking at things like, alright, well, how do we talk about permissions at the workspace level? And how does that then, you know, integrate with this data, right? And data access, as well as you know, some of the user elements. So, this is why it kind of traverses these two here. Right? How do we talk about the delegation, right of administrative capabilities to workspace admins, right? We talk about the principle of least privilege, well, how can we get some of these responsibilities out of the hands of those with the most privilege, and into the people who actually need to do it day to day, right? There's a lot of different elements here. Now, this webinar is not about every component of this sixth pillar of workspace, we are going to still be focusing on how we can, you know, incorporate sensitivity labels and better the sensitivity label deployment within the environment. But keep these things in mind when you're thinking about your approach to the architecture in a modern collaboration environment. Right. So, moving forward a little bit, we have the, you know, AvePoint confidence platform so the confidence platform, powered by als f1 Online Services is going to provide different plot form features to help enable and enhance the concept of information governance with Nm 365 By incorporating things like the container approach or logical segmentation approach, and so forth. So, when we talk about this, if you think about your tenant, and in most government organizations, you're in a consolidated tenant. So that's first and foremost, there's only, you know, I don't wanna say foreign few, but in the majority of cases, you're in a consolidated tenant, there's gonna be multiple components that exist within one. As such, there is a need to have a segmentation of those sites of those teams of those groups, right users is done pretty easily as your ad takes care of that. And as such, it's able to take care of the mailboxes and even to some extent the group's industrialist as well. OneDrive is not as easily taken care of, because it still maintains that URL concept within MVC five natively, right? And as such sites and teams. So how can we have a logical segmentation within a tenant? How can we use this logical segmentation to better assign things like sensitivity labels across the environment? And how can we provide people with people the need-to-know individuals, the admins, who are respective to those business units? How can we provide them with the insight that they need in order to make reasonable decisions? And as by doing so we're providing the people need the visibility with that, and further offloading the more of the responsibility from the individuals who have the most permissions, right? Because again, just because you're a global admin doesn't necessarily mean that you should be in everyone's team or, or OneDrive. Right. That's just how it should be. So, what are some of the benefits here of a workspace approach? Right? Establishing data ownership, that's, that's one here, right? Being able to say that as a, as an admin,
Antoine Snow 37:17
of a particular workspace. Bear with me, there was a point of what haywire stablishing data ownership by saying, as you know, the persons responsible for this component for this division, you can be data owner, or the specific data owners themselves who are owning that content, right? So, teams owners, something of that nature, right, but further defining that across the workloads, classification, being able to do that at the workspace level, and doing it in a way that still leverages the sensitivity labels, but do so in a bit more of a business focused process. Okay, business centric process, and we'll talk about how to do that. Collaboration, asset inventory. So, this is actually a big one. So, part of the Zero Trust architecture, right? When we talk about those pillars, a lot of that is about discover discoverability of the content as well. So, let's not overlook the power that lies in, you know, inventory reporting, right across there and understanding purposes, behind why things might have been created, or what things are being used for. Right? At the station processes, so being able to say, on a workspace level or by department level, you know, are you still using this is this, you know, is the content in here still relevant? Are the persons who are a part of this workspace still relevant? Right, going through that kind of permission cleanup? So, I mean, I want you guys to ask yourself, seriously, how often do you go through permission cleanup, I was a SharePoint admin in the past, I can tell you that that was not a regular occurrence, I can almost assure you that in teams, it's only gotten worse. Okay? So being able to go through that process, automating some self-service requests, and then handling the end to end lifecycle management. So, when we talk about Zero Trust, right, when AvePoint is talking about Zero Trust within collaboration systems, we are hitting on some of these key pieces, the classification and lifecycle management of these workspaces. Being able to use the same attribute-based approach that Microsoft takes with its users, and being able to apply that down to the workspaces and do attribute based policies and controls for those workspaces, right, not just the user's authorization. So, when we again, going back to those pillars, Zero Trust method there is going to be about authorization of the users well, they can get into Mt. 65. Right. Let's assume that that's all well Looking good. And to some degree, right when we're talking about sensitivity labels, that can control a user's access into the content or their authorization for the content. But again, that's not necessarily the best approach broad scope, what we can do is control where that content lives in the authorization there. And that's the idea behind the workspace authorization. And then lastly, of course, risk discovering, reporting, again, nothing, nothing makes the job easier than being able to highlight some of that risk, and then be able to also delegate that visibility down to the persons who can actually take action. All right, so let's talk about a few things. I will go through a quick demonstration, and then we will wrap up. So, let's talk a little bit about the workspace cataloging. So once again, being able to have great inventory management is going to be really critical, right? So, we're talking about the inventory of collaborative workspaces. So, are they a site? Are they a team? Are they a group? What are they? Right? map those workspaces back to a business unit, a business purpose, and a sensitivity. Okay, so pulling that sensitivity label application, and being able to provide you with with with a map of understanding exactly what everything is for, right, including any additional metadata that you might want to allocate to it. So, this can tell you not just the sensitivity, but maybe even the criticality, right of a particular workspace, right. So, this can help with really understanding what is happening within the environment itself, it can help you maintain compliance across the organization. And by being able to see this you can also sunset, you know, based off your records, retention rules, you can sunset, the necessary components to be able to reduce risk and sprawl, right for end user purposes, as well as for administrative purposes. Okay.
Antoine Snow 42:11
tying this back into a sustainable self-service approach, automation doesn't necessarily always have to be machine learned. Okay? So, if you take a look at the at, you know, the imagery here, through a dynamic request process, right, what you are able to do, leveraging the system is based off of who the user is, where they belong, right, from a department or organizational structure, or even what role they are like, are they a capstone user? Are they an executive or otherwise high ranking official? What are they trying to do? Right? So, what is their business purpose, you are able to do things like determine a naming convention for the workspace, you're able to determine who can have access or who can be invited, right. So actually doing like a narrowed down people picker field, when you're actually inviting or incorporating members into this team, or or workspace, you can leverage these different metadata or these answers in order to drive reporting. And then of course, you can also automatically configure a sensitivity label based off of how they respond to the questions. All right, this is big, right? Because like I mentioned, you can't do this, well, natively, there's not really a good way to bulk apply the sensitivity labels across the environment. So, this provides you a way to be able to do so. Right? And then lastly here. So proactive policy. So, policy enforcement is going to be big when you start talking about something like a Zero Trust methodology, right? You have to ensure that policies are being enforced and things are being done. You can implement governance all you want, but unless you have a way to enforce that governance, you'll always be you know, playing cleanup, right or playing catch up and trying to, to come from behind. Right. So being able to do proactive policies in order to meet its compliance within the environment is always going to be very crucial.
Corey Baumgartner 44:19
Thanks for listening. If you'd like more information on how Carahsoft and AvePoint can help secure your organization's collaboration spaces, please visit www.carahsoft.com/avepoint public sector