Microsoft Launches Purview Platform to Govern, Protect, and Manage Sensitive Data

The shift to a hybrid workplace has forced organizations to rapidly adopt cloud technologies and remote access tools to enable ubiquitous connectivity.

That in turn has generated more data than ever before, and organizations are faced with the prospect of securing their data, managing data governance, and keeping up with compliance requirements. Collaboration tools can result in sensitive data leaks if not properly managed. Microsoft announced changes in its data governance platform to help customers see their assets across their entire data estate, along with helping to manage risks and regulatory compliance.

Microsoft has rebranded Azure Purview, which became generally available last fall, to Microsoft Purview and brought over the products that used to make up Microsoft 365 Compliance. Microsoft Purview also features new functionality in Microsoft Purview eDiscovery to improve identification of data stored in Teams; the general availability of Microsoft Purview Data Loss Prevention for macOS; and a preview of the ability to create encrypted documents for iOS and Android platforms.

Microsoft Purview will bring "that chief data officer and their team together with the risk officer, the compliance officer, and [have] a unified view and ability to manage data," says Alym Rayani, general manager of compliance and privacy at Microsoft.

For organizations, getting a sense of what data they have is a growing challenge, as is making sure the data isn’t leaving the organization in an unauthorized manner. Data has become the "lifeblood" of how businesses operate, says Rayani, but knowing what the organization has, or where it is even stored, is a growing challenge. The rapid adoption of cloud applications and remote access tool have expanded the data estate. An example would be how more employees are exchanging data using Microsoft Teams — not just in the chat or conversations, but also sharing files.

"Data lives everywhere. There's a lot of it," Rayani says, noting that about 93% of customers told Microsoft they store data across multiple clouds and multiple solutions.

Understanding the Data
Before organizations can do anything about their data, they have to first understand it. Toward that goal, Microsoft expanded its sensitive information type catalog with more than 50 new classifiers, such as those covering patient and healthcare data. There were already 250 classifiers, for data elements such as credit card and Social Security numbers, Rayani says. These classifiers are available for DLP, Information Protection (auto-labeling), Data Lifecycle Management, Insider Risk Management, Records Management, eDiscovery, and Microsoft Priva.

The classifiers are necessary to identify sensitive data, and to allow organizations to create policies that accommodate the specific requirements for each type. There may be patient records that are considered confidential even if payment card numbers or Social Security numbers are not included.

"One of the things we've been hearing from customers is, 'Hey, I need to get a good understanding of my data environment, my data landscape. It lives across a range of systems. It lives in apps. It lives in different platforms,'" Rayani says.

Governance to the Forefront
Microsoft Purview is not just about visibility or classifying data, but can give organizations governance tools that extend all across the data environment. Data leak prevention is one example, but another important area of data governance is insider risk management, Rayani says. While the idea of a malicious insider — the person trying to steal confidential information and intellectual property — is a classic example of insider threat, there is also a lot of the "inadvertent" insider — the one who accidentally exposes data while trying to do their job.

For example, a marketing employee trying to share something over Teams may violate data leak prevention policy. With Microsoft Purview, organizations have tools to warn the user in the moment that there is a policy violation, block the action, and offer an alternative method, such as a secure SharePoint site, Rayani says.

How each of the products in the Microsoft Purview family are branded. Source: Microsoft

Organizations frequently have to stitch together multiple products to give security, governance, compliance, and legal teams a clear view of what is happening in their environment. Almost 80% of IT decision-makers in the United States purchased multiple products to do so, and a majority had purchased three or more, according to a recent Microsoft survey. This patchwork of products can expose infrastructure gaps and is both costly and complex to manage, Jessica Hawk, Microsoft's corporate vice president of data, AI and mixed reality, wrote on the Azure blog. Microsoft Purview's goal is to provide a unified view to improve security, privacy, and compliance, she wrote.

The company will continue strengthening the integration between Azure products and Microsoft 365, as well as adding new capabilities. For example, sensitivity labels — which designate the data classification — will be consistent across products, and they will be viewable in both Microsoft Purview's compliance portal (formerly Microsoft 365 Compliance) and governance portal (Azure Purview).

"We believe the new way to optimize your data strategy is to deliver a unified view of data in the organization across hybrid, multicloud environments by bringing together the business users of data with the protectors of data," Hawk wrote.