Time to get to grips with Microsoft’s new labelling framework

Looking at the protection of sensitive data, such as personally identifiable information, inevitably requires an in-depth appreciation of data classification and labelling as part of an organisation’s overall data governance and compliance.

With Microsoft having recently extended the ability to apply sensitivity labels from a dropdown box within Office applications on Windows, I thought this would be an opportune time to take a closer look.

When conducting data privacy assessments with clients, I address the full gamut of an organisation’s remit regarding data classification, both for data security and data retention purposes.

At this stage, it’s important to note that sensitivity labels must be distinguished from retention labels which, among other things, allow an organisation to stipulate different periods of retention for different categories of data (read more on retention labels here).

Another distinction must be drawn between sensitivity labels and sensitive information types that can be identified by a regular expression or function, such as identity numbers or credit card numbers. Sensitive information types will be addressed more fully in later blogs.

What is data classification and labelling?

At their core, data classification and labelling are designed to enable organisations to accurately and meaningfully classify data based on its sensitivity and to protect sensitive information from being accidentally or maliciously shared outside of approved channels. Data can also be labelled with no associated protection settings for future identification and/or protection, for the generation of usage reports and to track activity.

Dropdown box in Windows lets you apply a sensitivity label from any Office application.

---

Labelling works by attaching a clear-text tag (a “label”) to the metadata of an e-mail or file. That label roams with the file wherever it travels, whether internally or externally, and will persist even if downloaded from SharePoint or OneDrive. A label must be published, creating a policy which will enforce the selected protections.

Labels can either be applied manually by users (with or without the help of label recommendation tooltips) or entirely automatically. A combination of both methods can also be leveraged to minimise human error while maximising user flexibility. However, some of this labelling functionality is only available with certain subscription licences.

It’s important that you get the groundwork done correctly and agreed to by all the relevant stakeholders in your organisation.

Cloud Essentials offers training on label implementation as part of our GDPR and POPIA compliance remediation services. Get in touch to find out more.

Sensitivity label availability

Previously, organisations looking to protect their data had to have an Azure Information Protection (AIP) licence to access this functionality.

Now, however, Microsoft has introduced Microsoft Information Protection, which is no longer a subscription or licence that must be purchased, but rather a framework for products and integrated capabilities to assist organisations to protect their sensitive data. This central labelling platform enables organisations to create and configure sensitivity labels as well as retention labels using the Office 365 Security & Compliance Centre, Microsoft 365 Security Centre, or Microsoft 365 Compliance Centre.

Third-party vendors can also leverage this framework via the Microsoft Information Protection SDK, and as we’ve said earlier, end-users can now add labels from their Office apps. The framework can also be used by products such as Office 365 Data Loss Prevention and, indeed, AIP.

If you’ve already been using AIP, you can migrate any existing labels to the new unified labelling store so that these can be used as sensitivity labels with all the protection they afford.

However, not all AIP labelling functionality is currently supported in the new unified labelling client, and it’s vital that organisations audit their requirements before making this move for now.

The right time to migrate will likely differ for every organisation, with the option of a dual-client set-up available to smooth the transition in the meanwhile. Read more on label migration here.

Controls you can use ‘for free’

Base-level enterprise licences include the ability to encrypt labelled content or to automatically insert watermarks, a header and/or a footer.

• One commonly used watermark is the word “Draft”. This signifies that the document is not in final form and/or requires review and must not be sent to the final, intended recipient.
• Attorneys conducting settlement negotiations may want to insert the words “Without Prejudice” as a header in all e-mails exchanged as part of those negotiations to ensure that those e-mails are not produced in court unless and until permitted by law.
• Organisations may want to include copyright information in a footer designating that the contents of the document are protected by copyright laws.

Another option available is for organisations to label documents or e-mails either to apply protection settings at a later stage or to monitor usage and/or activity related to those documents or e-mails.

Label activity reports may prove essential when demonstrating compliance with GDPR, as organisations subject to the regulation are bound to do.

Sensitivity labels also enable organisations to encrypt content in Office apps, with the ability to encrypt in flight and at rest, and ensure that items remain encrypted, even in the event of a file rename.

As well as determining ‘upfront’ who can access an encrypted item, you can also give users the latitude to apply encryption (and other permissions) ad hoc.

This is handy for organisations that need to share sensitive documents with external vendors when working on a joint project. In which case, users can allocate permissions as required to the relevant people, and set access to expire after the project has been completed.

Optional extras

The devil is in the detail with Microsoft functionality and licencing, however.  By this I mean you will find that certain additional functionality is only available to those on higher licence tiers or with additional subscriptions.  

For example, by licensing Microsoft Intune you can prevent sensitive content on any device running Windows from leaving the organisation via an external USB drive or a third-party application such as Twitter. This is exceptionally helpful to prevent, for example, proprietary information being leaked to competitors.  

In addition, by using Microsoft Cloud App Security, you can ensure that only labelled and protected content is downloaded onto or uploaded from third-party applications such as DropBox, Box and AWS.

Finally, the Microsoft Information Protection SDK extends the ability to read and apply sensitivity labels and associated protection settings to third-party applications running on Windows, Mac and Linux. 

Preparing to adopt sensitivity labels

With the increase in the availability of sensitivity labels (and the convenience of applying them), we hope that a lot more organisations are going to start leveraging these versatile security and compliance tools.

However, introducing sensitivity labels for the first time (or refining existing policies) can be a complicated process that requires a lot of thought and planning to do well.

Look out for our next blog article on the creation of sensitivity labels and the definition of label taxonomies. In the meantime, get in touch to find out more about how Cloud Essentials can assist in the planning and implementation process.

About Kelly Chalom

Kelly is Cloud Essentials' GDPR and Data Privacy Compliance Specialist. While heavily involved in general compliance workshops and training, the core focus is providing customised turnkey compliance solutions for clients.