数据分类Data classification

备注

本主题是更大的设计注意事项指南的一部分。This topic is part of a larger design considerations guide. 如果你希望从指南的开头开始,请查看主要主题If you'd like to start at the beginning of the guide, check out the main topic. 若要获取此完整指南的可下载副本,请访问 TechNet 库To get a downloadable copy of this entire guide, visit the TechNet Gallery.

大多数公司已经采用了数据分类策略,你将需要了解部署移动设备管理解决方案将如何影响此策略。Most companies already have a data classification policy in place, and you’ll need to understand how deploying a mobile device management solution will affect this policy. 如果你的公司没有当前数据分类策略,你应该在规划移动设备管理解决方案时配合引入此功能。If your company does not have a current data classification policy, you should introduce this capability in conjunction with planning your mobile device management solution. 某些组织使用 Active Directory Rights Management Services (ADRMS) 在文件服务器级别上执行本地数据分类。Some organizations perform on-premises data classification at the file server level using Active Directory Rights Management Services (ADRMS). 某些公司使用的另一个工具是 Microsoft 数据分类工具包,用于帮助组织标识、分类和保护其文件服务器上的数据。Another tool some companies use is the Microsoft Data Classification Toolkit, helping organizations to identify, classify, and protect data on their file servers.

Office 365 提供了一些电子邮件的自动数据分类,可帮助找出应受到保护的敏感信息。Office 365 provides some automatic data classification of email that can help surface sensitive information that should be protected. Office 365 使用传输规则(合并到邮件流处理中)来检测敏感信息。Office 365 uses transport rules, incorporated into mail flow processing, to detect sensitive information. 然后 DLP 功能将通过关键字匹配、字典匹配、正则表达式计算、验证信用卡号上的校验和等内部功能以及其他内容检查来执行深度内容分析,从而检测出邮件正文或附件内的特定内容类型。Then the DLP feature performs deep content analysis through keyword matches, dictionary matches, regular expression evaluation, internal functions such as validate checksum on credit card numbers, and other content examination to detect specific content types within the message body or attachments.

Intune 和 ConfigMgr 未内置数据分类,因此它们依靠使用 Azure RMS 的基于云的分类或使用 ADRMS 的本地分类。Intune and ConfigMgr don’t have data classification built in, so they rely on cloud-based classification using Azure RMS or on-premises using ADRMS. 另一个选项是使用企业移动性 + 安全性 (EMS) 作为你的 MDM 解决方案。Another option is to use the Enterprise Mobility + Security (EMS) as your MDM solution. 借助 EMS,你将可以访问 Azure AD PremiumAzure RMS,二者可用于为数据分类。With EMS, you’ll have access to Azure AD Premium and Azure RMS, which can be used to classify data. 使用 Azure RMS 的数据分类可以与混合环境中的本地管理解决方案集成。Data classification using Azure RMS can be integrated with an on-premises management solution in a hybrid environment.

Intune 通过使用合规性策略使 IT 遵从这些策略,这些策略是设备必须遵从的多个规则和设置的集合,以便被条件访问策略视为合规。Intune enables IT to comply with policies by using compliance policies, which is set of rules and settings that a device must comply with in order to be considered compliant by conditional access polices. 也可使用合规性策略来监视和修正与取决于条件访问的设备的合规性问题。You can also use compliance policies to monitor and remediate compliant issues with devices independently of conditional access. 有关详细信息,请参阅为 Microsoft Intune 管理设备合规性策略Read Manage device compliance policies for Microsoft Intune for more information.

使用下表作为参考协助你选择最符合组织的数据分类要求的 MDM 选项。Use the table below as a reference to assist you choosing the MDM option that best fits your organization’s data classification requirements.

Intune(独立版)Intune (standalone)

优点Advantages

  • 不可用Not available

缺点Disadvantages

  • 不可用Not available

Office 365 的 MDMMDM for Office 365

优点Advantages

  • Exchange 传输规则可用于检测敏感信息Exchange Transport rules can be used to detect sensitive information
  • 在合规性中心利用数据丢失防护 (DLP)策略来标识跨多个位置的敏感信息Leverages data loss prevention (DLP) policy in the Compliance Center to identify sensitive information across many location

缺点Disadvantages

  • 文件本身不执行数据分类。Data classification is not carried with the file itself. 在文件位于移动设备上后,可以不受限制地使用它。Once the file is located at the mobile device, it can be used without restrictions

混合版(带 ConfigMgr 的 Intune)Hybrid (Intune with ConfigMgr)

优点Advantages

  • 不可用Not available

缺点Disadvantages

  • 不可用Not available

企业移动性 + 安全性Enterprise Mobility + Security

优点Advantages

  • 利用 Azure RMS 来执行数据分类Leverages Azure RMS to perform data classification
  • Azure EMS 订阅包含在 RMS 之中Azure RMS subscription is included with EMS
  • 对于数据分类,不需要本地基础结构Doesn’t require an on-premises infrastructure for data classification
  • 可与现有本地 AD RMS 解决方案集成Can be integrated with existing on-premises AD RMS solution
  • 文件自带保护,这意味着即使该文件保存在不同的位置,它仍然保留其分类。Protection is located in the file itself, which means that the file will keep its classification even if it was saved in a different location

缺点Disadvantages

  • 不适用于不采用基于云的解决方案的客户Not available for customers that are not adopting cloud-based solution