Implementing data sensitivity labels
Time to get to Grips with Microsoft’s Labelling Framework
Looking at the protection of sensitive data, such as personally identifiable information, inevitably requires an in-depth appreciation of data classification and labelling as part of an organisation’s overall data governance and compliance.
With Microsoft having recently extended the ability for end users to apply sensitivity labels from a dropdown box within Office applications on Windows (the functionality was previously available on Mac OS, IOS and Android), I thought this would be an opportune time to take a closer look.
What is data classification and labelling?
When conducting data privacy assessments with clients, I address the full gamut of an organisation’s remit regarding data classification – both for data security and data retention purposes.
At their core, data classification and labelling are designed to enable organisations to accurately and meaningfully classify data based on its sensitivity and to protect sensitive information from being accidentally or maliciously shared outside of approved channels. Data can also be labelled with no associated protection settings for future identification and/or protection, the generation of usage reports and to track activity.
Labelling works by attaching a clear-text tag (a “label”) to the metadata of an email or file.
That label roams with the file wherever it travels, whether internally or externally, and will persist even if downloaded from SharePoint or OneDrive.
Labels can either be applied manually by users (with or without the help of label recommendation tooltips) or entirely automatically. A combination of both methods can also be leveraged to minimise human error while maximising user flexibility. However, some of this labelling functionality is only available with certain subscription licences.
The starting point for all of this, however, is that labels must first be defined and published, creating a policy which will enforce the selected protections.
Sensitivity Label Availability
Previously, organisations looking to protect their data had to have an Azure Information Protection (AIP) licence to access this functionality.
Now, however, Microsoft has introduced Microsoft Information Protection which is no longer a subscription or license that must be purchased, but rather a framework for products and integrated capabilities to assist organisations to protect their sensitive data.
This central labelling platform enables organisations to create and configure sensitivity labels as well as retention labels using the Office 365 Security & Compliance Centre, Microsoft 365 Security Centre, or Microsoft 365 Compliance Centre.
Third-party vendors can also leverage this framework via the Microsoft Information Protection SDK, and as we’ve said earlier, end-users can now add labels from their Office apps. The framework can also be used by products such as Office 365 Data Loss Prevention and, indeed, AIP.
If you’re already been using AIP, you can migrate any existing labels to the new unified labelling store so that these can be used as sensitivity labels with all the protection they afford.
However, not all AIP labelling functionality is currently supported in the new unified labelling client, and it’s vital that organisations audit their requirements before making this move for now.
The right time to migrate will likely differ for every organisation, with the option of a dual-client setup available to smooth the transition in the meanwhile.
Controls you should be using right now
Base-level enterprise licenses include the ability to encrypt labelled content or to automatically insert watermarks, a header and/or a footer.
These are some of my tips on how your business (and especially your legal department) might want to use these capabilities in order to protect your company’s content:
- For emails exchanged during the course of settlement negotiations, those parties involved may want to insert the words “Without Prejudice” as a header to ensure that those emails are not produced in court unless and until permitted by law.
- It’s good practice to use the word ‘Draft’ as a watermark until a document is in final form. That way, it acts as a caution to employees to not send that version, but, if it gets inadvertently sent ‘ahead of finalisation’ the recipient will know that the document is a work-in-progress and, may be made obsolete or updated by subsequent documents.
- You may want to include copyright information in a footer designating that the contents of the document are protected by copyright laws.
- Listed companies may wish to ring-fence board minutes and communications and, to this end, could include “Board Communicatons – Highly Confidential” as a header or footer.
Label now – specify policies later: Even if you don’t know the protection settings you want to apply straight away, labelling documents or emails now means you can specify policies at a later stage.
Use labels to track activity: You can also monitor usage and/or activity related to those documents or emails. Label activity reports may prove essential when demonstrating compliance with GDPR.
Sensitivity labels also enable organisations to encrypt content in Office apps on Windows, Mac, iOS and Android. In doing so, content owners can determine usage, access and sharing permissions at the user, group or organisation level and can control permissions allocated to external recipients.
When electing to encrypt content, you can define those permissions to be attached to that label. Permissions may be pre-defined as part of a role, such as author or reviewer. Alternatively, permissions can be individually allocated, and these include viewing, saving, printing, copying, replying, replying to all and forwarding.
In addition, organisations have the flexibility to specify when permissions relating to labelled files expire and whether they can be accessed offline.
This is handy if you need to share sensitive documents with vendors to enable them to provide a service. In this situation, you can allocate vendor viewing permissions to continue only for the duration of the project.
The devil is in the detail with Microsoft functionality and licencing, however. By this I mean you will find that certain additional functionality is only available to those on higher license tiers or with additional subscriptions.
For example, by licensing Microsoft Intune you can prevent sensitive content on any device running Windows from leaving the organisation via an external USB drive or a third-party application such as Twitter. This is exceptionally helpful to prevent e.g. proprietary information being leaked to competitors.
In addition, by using Microsoft Cloud App Security, you can ensure that only labelled and protected content is downloaded onto or uploaded from third-party applications such as DropBox, Box and AWS.
The Microsoft Information Protection SDK also extends the ability to read and apply sensitivity labels and associated protection settings to third-party applications running on Windows, Mac and Linux.
Preparing to adopt sensitivity labels
With the increase in the availability of sensitivity labels (and convenience of applying them), we hope that a lot more organisations are going to start leveraging these versatile security and compliance tools.
However, introducing sensitivity labels for the first time (or refining existing policies) can be a complicated process that requires a lot of thought and planning to do well.
In the meantime, get in touch to find out more about how Cloud Essentials can assist in the planning and implementation process, both from a legal advice and a technical perspective.