Guidance on protecting government data using Microsoft Purview
Following the recent update to the Government Security Classification Policy (GSCP), Microsoft has partnered with Government Security Group, the Central Digital and Data Office and the National Cyber Security Centre (NCSC) to provide configuration guidance for those wishing to implement the OFFICIAL tier of the GSCP using Microsoft Purview Information Protection (MPIP), available as part of Microsoft 365.
The guidance assists those wishing to classify and protect files, control who can access them, and allow greater control when sharing information between departments, partner organisations, and customers.
A spokesman from the Government Security Group said: ”The Government Security Classifications policy (GSCP) sets out the administrative system used by HM Government (HMG) and our partners to appropriately protect information and data assets against prevalent threat actors. The GSCP was updated in 2023.
“This gave us a significant opportunity in UK government to modernise and standardise how organisations apply technical controls in line with security classifications. Microsoft 365 is widely used across UK government, so we partnered directly with Microsoft to define a standard approach to applying sensitivity labels and data loss prevention features of Microsoft 365 in line with the GSCP.
“The resulting technical guidance provides a baseline from which organisations can select the most relevant elements and tailor them for their specific use cases. Our objective is that this will be an enabler for the GSCP and that it will also create a better user experience for civil servants and our partners.”
Building on the Government’s Secure Configuration Blueprint
This guidance builds upon the Microsoft 365 Guidance for UK Government: Secure Configuration Blueprint for the UK Public Sector, which outlines how to configure a Microsoft 365 tenant for use at OFFICIAL (which includes OFFICIAL-SENSITIVE), and sits alongside the Cross Government Collaboration guidance and the Bring Your Own Device guidance.
Figure 1. Relationship with other NCSC and Microsoft guidance.
The guidance draws on experience gained working right across UK government and the public sector industry and incorporates existing best practice that has previously been published by Microsoft.
We determined that a baseline configuration for government organisations would enable a more consistent and secure approach to configuring classification and protection policies by providing a starting point for technology and compliance professionals alike. The recommended configuration we’ve produced focuses on these key areas:
- Increasing visibility of where data is located to data governance teams.
- Providing protection that follows documents as they are accessed internally or when shared externally by assigning the relevant GSCP label.
- Providing visual labels that indicate how a document should be handled.
- Providing visual labels for Microsoft Teams and SharePoint to control whether external users are allowed access to content stored within them.
- Complementing the Cross Government Collaboration Blueprint to mark and protect documents as they are shared and co-authored between Government departments and partners.
Important note about this guidance
This guidance has been written as a starting point and organisations should consider how they may wish to supplement it with additional controls, as appropriate for the environment and risk appetite.
The blueprint guidance has been structured to follow a Microsoft-recommended three-phase approach for implementation: ‘Crawl, Walk, and Run’.
Figure 2. Microsoft’s recommended three-phase approach to implementation.
With the ‘Crawl, Walk, Run’ approach, changes can be introduced in phases across your organisation, focusing on small sets of users first and then expanding to broader audiences. This will allow you to deploy quickly whilst minimising disruption and help you establish a baseline of user behaviour before introducing tighter restrictions. It will also help you identify early potential conflicts or compatibility issues between different tools, so you can address them before they have further impact.
Using the visual indication provided with sensitivity labels is a small, but important benefit of the capability that sensitivity labels can provide. The guidance is based on an outcomes-based approach which aims to reduce the likelihood of accidental data loss or oversharing.
The guidance looks to provide ‘outcomes-based’ controls that use the features available in Microsoft Purview Information Protection to restrict access to content based on the label selected. The sensitivity labels are broken down into two distinct areas: content labels and container labels.
Content labels
Content labelling applies the label directly to documents and emails. This stamps the data with label metadata, which is maintained wherever the data resides.
Figure 3. How content labelling relates to data, controls and policy.
Content labels are used to provide visual indicators for the scope where the document or email should be accessed.
Figure 4. Access areas that may be denoted by content labels.
Container labels
Container labels apply to a workload (e.g. SharePoint, Teams or M365 group) where content is stored. The labels are used to define whether External Guest users are allowed to access the container and collaborate with internal member users.
Figure 5. Container labels define access permissions for External Guest users.
Container labelling applies the sensitivity label at the container. Container labels are named differently from the data labels as they serve a different function – namely to control access to the containers. These labels provide a visual representation of the Privacy level, Public or Private, and whether external guest users are allowed to be members of the Team or SharePoint site, Internal or External.
Find out more
Microsoft for critical infrastructure
Microsoft 365 Guidance for UK Government: External Collaboration
UK OFFICIAL and UK NHS Regulatory Compliance built-in initiative
About the author
James has spent his entire IT career of 27 years specialising in the security arena, the last 22 of which have been for Microsoft. Based in the UK, he works in the key areas of security and identity in the public sector as a Security Technical Specialist. He is a regular contributor to Microsoft docs for Securing Privileged Access and was the lead architect for the Microsoft 365, Cross Government Collaboration and BYOD guidance produced for Cabinet Office and NCSC.