Behold: The Power of Sensitivity Labels

Even though some people are aware of the concepts of Data Classification and tools such as Microsoft 365 Sensitivity Labels, I do not think that many of us out there have yet grasped the full implications, or taken the long view, so to speak.

Note: this is a longer read. TL;DR is just this: Over time, I believe that we will see the importance of containers fade–they are just a space for people to come together and work on stuff. In the future (maybe not too distant) governance and access control will be much more focused around Data Classification, i.e. Sensitivity Labels. Manage data types, not data locations. Location is irrelevant now. Permissions from a label cut through all collaboration spaces horizontally–this is much more efficient, flexible and manageable than anything we’ve ever had in the past.

The big miss

The problem as I see it: where we really missed in the past was in focusing on the container instead of the data itself. Now in the old world this was probably your only option unless you had lots of money and talent to implement complex Rights Management and Endpoint DLP solutions–so your only recourse for either organizing or securing data was to control something about the container that it was placed into. Create a new container or sub-container for better organization. Change ACL’s for controlling access. Change firewall rules to allow or disallow VPN or RDP for certain people, etc. This is the framework we all know the best, and it is the framework many still operate by, even though the game has completely changed.

But even way back when, data was much more slippery than anyone realized; how easy was it to copy files to an external drive and walk off, or email a bunch of files to yourself at an outside account, etc.? Too easy. And even if you’re starting to take more precautions with external media and DLP in email, some of the more modern cloud-based stuff out there has made it STUPID easy to find your way around those traditional safeguards.

And all that adds up to say, definitively, we can no longer rely on containers to be our lone defenders when it comes to data access and control. Data is simply too slippery to be “containerized.” Therefore, you should stop freaking out about the containers, okay? We already know that we need to look for something better (and this is true whether you remain with your head buried in the sand of your old file server or if you’ve made the move to more modern collaboration spaces in Microsoft 365).

To be completely fair, it is impossible for IT to keep their fingers on the pulse of everything that is happening with so many individuals who work across so many apps and different datasets. It’s just not realistic. Not even at the SMB, and probably moreso for the Enterprise. The hard reality we have to face is that every single person is a data owner, and therefore every single person (not just IT) shares responsibility for keeping data safe. It also implies that the people closest to the datasets are the ones who are best-equipped to apply appropriate protections to the data.

Enter Sensitivity Labels

Now granted, it has taken awhile for this to completely crystalize in the 365 ecosystem, and there are still more improvements coming which will solidify the new methodology for governance and control over our disparate and varied datasets once and for all–but we are just now starting to get a taste of the full power of Sensitivity Labels. Here is what has happened recently, and what is coming down the pike:

1. We can now use these labels natively in any Office app, on mobile, desktop, or web to apply protections at the level of the data itself
2. We can require that users always apply a label when using their apps
3. We can specify default labels
4. We can require a business justification to be logged when someone wants to downgrade a label
5. We can apply labels on Sites/Groups/Teams to invoke further restrictions and protect the container, too (and these do not only call upon ACL’s/Group membership, but other things as well e.g. device compliance)
6. Soon, we can also apply DLP rules based on Sensitivity Labels (in private preview now)

Paint me a picture

Imagine if you will a world in which you are leveraging Sensitivity Labels to their fullest, and you have implemented mandatory Data Classification across the entire organization. Let us just compare for one minute some common scenarios and how they would play out in the Old World versus the New World.

Scenario: Somebody accidentally deposits a sensitive file into a public location or a location that grants more access than what is appropriate for that file

Under the Old World, IT would certainly not have any visibility into this error, until someone noticed and reported it. By that time, sensitive data likely could have already been exposed to others.

But in the New World, the mandatory label would apply encryption and only the authorized parties would have access to open and read that sensitive file. Therefore unauthorized access would be effectively mitigated. If the label was downgraded (assuming that were even allowed by your policy), the business justification would be recorded and subsequent access would be tracked via the audit log.

Scenario: Dave from management was attempting to send out an informational spreadsheet about the new bonus and incentives structure to all staff, but accidentally attached a different spreadsheet he had been working on that afternoon, with salary information and last year’s raises across all staff–oops!

In the Old World, this would have been a complete nightmare. In the New World, the file is labeled, so only people who would have already had this access would be able to open that rogue attachment. Slight embarrassment, but no harm done.

Scenario: You have your very own version of Edward Snowden–a contractor walking off with multiple gigabytes of corporate data (external media or outside storage account)–something Eddie might use on later jobs with your competitors.

Old World: You are probably SOL on this one–assume whatever has been stolen has already been exposed. Now it’s time to lose even more money to the attorneys who are going to track this asshat down.

In the New World? Contractors do not have the privilege of downgrading Sensitivity Labels. So they’re stuck with the access you gave them. Even restrict copy/paste/print if you like. When you do kill access for that user at the end of their employment, every single copy of stolen data goes dark for that account, forever.

Scenario: Accidental exposure to external users, by inviting them to a broader container for collaboration

In either world, this could certainly happen in a number of ways. Perhaps the external user had some level of access that was on a temporary basis, but it was never retired on time, or they were invited into a location where they had more access than what was intended (well she needs access to A so put her in security group A–oh wait that also granted access to X, Y and Z datasets). Or they were just able to walk off with their own copies of the files, even if that was not the intention of the original request.

But in the new world, the Group membership is tied to the specific resource or project they are working on–the Team. So the “scope” of data over-exposure is already limited naturally. As well, Sensitivity labels would offer many ways to mitigate your risks beyond the container. Particularly sensitive data sets can remain private, while others which are approved for external collaboration are more open; even if an external user is brought into a Team that is working with both types of classifications, their access will be naturally limited to the non-Confidential stuff. Again, what would have been very difficult before is a cake walk now.

Scenario: Lost or stolen device (corporate or personal)

In the Old World, at least your corporate devices would hopefully have been protected by BitLocker or whatever encryption mechanism, giving you some peace of mind, and often granting full immunity from the law. Personal devices would be a tougher nut to crack, though, wouldn’t they?

In the New World, Sensitivity Labels can limit or block access for unmanaged devices, and beyond that, individual documents will still be encrypted if they are labeled, so the full disk encryption is not as necessary for those “outside devices.” And of course managed devices will be encrypted no matter what since it is required for device compliance with Intune, and compliance is in turn enforced via Conditional Access. Not to mention, with Mobile App Protection policies, remotely wiping corporate data works whether the device is enrolled or not.

The Inevitable Conclusion

You could go on and on with these scenarios. See how much easier it is these days? I challenge you to come up with a scenario that we cannot solve in Microsoft 365, especially with the growing capabilities in Sensitivity Labels. And I challenge you to explain to me why it is “unsafe” or “less secure” to allow users to create (and label) their own containers & files. They are the ones best situated to govern the data, pick the appropriate Group, apply the right label, and so on–it is not the IT department! It is simply not possible for you to know all of the data and make all of those decisions on behalf of other people (even with auto-labeling you could only define certain requirements, but not all requirements).

At the end of the day, you don’t have to manage data locations, but rather data types. This is way more realistic and way more powerful, because now you are drawing boundary lines through the data, rather than around it. It also does not require IT to manage every access request (which is not and has never been reality). Sure, you can imagine ways that really savvy people who are intent on getting their hands on that protected data might find a way to do it. Welcome to every DLP and security solution ever. But the level of control and risk mitigation that you have here is enormous compared to what you had when your focus was only on the container. (That was also known as Swiss Cheese Security.)

Simple, yet profound

Now hopefully you can also see that it really doesn’t matter much at all if users are allowed to create multiple containers such as Teams and invite people to collaborate in those containers at their leisure. Or even if they have to use other containers outside corporate control with a partner for instance, or even (gasp) send an email attachment. The same or worse risks existed before Microsoft 365 as after. But with labels in your security arsenal, the situation is so much better, particularly if you are enforcing classification org-wide.

Now remember–the end user knows more about the data than you do–whether you like it or not, they are the better-equipped to select the right label–but you are ultimately the one who controls the labels that people have to choose from as well as the powers behind those labels: is this data type encrypted? Is external collaboration allowed? Is unmanaged device access allowed? Is downgrading classification with justification allowed? Etc., etc. (Note: E5 or AIP Plan 2 will provide auto-label capability based on sensitive info types or custom keywords).

So the container matters less and less. With DLP rules coming, we have even more degrees of control for Sensitivity-labeled datasets–it can be harder to “ship data out” of our preferred containers–in Microsoft 365. It may also be a “softer” control to merely suggest or provide policy tips about sharing, versus enforcing full encryption on extremely sensitive data sets, like those belonging to the Finance department, or those describing HR incidents.

It seems like such a simple tool, doesn’t it? And yet the implications are incredible and profound.

Current Limitations

But let’s not just drink the Kool-Aid! What are the real drawbacks and limitations? There must be some, right?

First, just recognize that yes–this is exactly where we MUST go, given our history lesson and the evolution of collaboration. Whether you are on Microsoft’s platform or any other, Data Classification is going to be the key to unlocking true governance and data protection–perhaps for the very first time.

Second, it is also true that where we are at with these capabilities today is still just the beginning, and the experience will continue to evolve and improve further (but what we have now is already pretty impressive). All that having been said, be aware of the following limitations, at the time of this writing.

You must turn on the ability to use Sensitivity Labels in Microsoft 365 browser apps such as OneDrive, Word, or Excel on the web. This is not yet enabled by default. When you do this, you will unlock most of the functionality that matters for encrypted files such as indexing/search including DLP, eDiscovery and so on… but certain things will not work. Namely:

• AIP labeled files must be converted to newer Sensitivity Labels
• Labels must NOT allow user-defined permissions, nor content expiry
• If a user has edit permissions, you cannot also block copy in web apps
• AIP tracking site is not supported
• Hold your own key (HYOK) not supported in web apps
• Updating labels can cause sync issues with OneDrive client
• Labels applied by service accounts (e.g. Cloud App Security) not yet supported
• Cannot co-author with Desktop/Mobile client apps (exclusive editing only)
• Resuming from sleep, Desktop apps may be asked to save a new copy of encrypted files (related to the co-authoring support)
• Labels deleted in the cloud (a very rare event) are auto-removed from the documents carrying that label and stored on SPO/ODfB (same is not true for documents outside of SPO/ODfB)

Again, some items above need to be ironed out–especially the co-authoring for desktop apps (web apps work fine). But the evolution is still unfolding, and the investments being made here are significant–Microsoft is motivated to get this right, because it completely changes the game: a true Copernican revolution for governance. We are talking about the ability to apply strong, identity-based access controls to data itself, cutting across all locations and devices, whether inside or outside our corporate boundaries. I mean, how cool is that?