Differences between Windows Information Protection (WIP) and that “other” Information Protection (AIP)Alex Fields
I received a really interesting question from a reader this week, and another person had asked me the same question when I was at Ignite recently, speaking on the security features in Microsoft 365 Business. So I think it makes sense to put this article out there, to help folks understand the difference between document labeling (E.g. Azure Information Protection or Sensitivity Labels) and Windows Information Protection (WIP) which is a feature included with Intune.
Data classification using either AIP labels or the new Sensitivity labels in Office does basically the same thing:
- Applies markings to documents such as header/footer/watermark
- Protects documents using encryption
- Applies permissions like restricting the ability to Save as or Print
This is a very different set of capabilities from WIP. I know, it’s confusing, right? Because both of them are called “Something” Information Protection. How much information protection do I need?!
The purpose of WIP, which is an Endpoint DLP solution, is to draw corporate boundaries through an endpoint (such as a Windows 10 laptop or desktop computer). When I think of Endpoint DLP solutions, I literally visualize a fence on the computer being drawn around the data and apps that belong to the company. Everyone outside the fence–all the “other” apps and locations do not get to mix and play with the resources inside the fence.
This is especially useful with BYOD devices, or devices that have a lot of mixed business/personal use. For example, if users have personal storage apps or locations on the device–like a personal OneDrive or DropBox account–those are considered non-corporate and therefore WIP can be used to block saving corporate data into these locations.
WIP is limited to specific endpoints, labels are not
WIP is much more limited in scope than an information protection label that is applied to a document. A document that is stamped with a Sensitivity label (or Azure Information Protection label) can remain protected, even if it were shared and downloaded to an outside/non-corporate location. The recipient could be required to authenticate and they would also be held to whatever restrictions are imposed by the label for their identity.
WIP has no ability to do that–you can’t use it to apply permissions to content, and it is not “transferable” to any other place–it’s just a fence that we can use to corral the corporate data on that endpoint specifically.
Why is that useful you might ask? Well, WIP is your best friend when a device needs to be wiped of its corporate data (without touching the personal stuff). It can also prevent accidental oversharing to locations that are not under your control.
The other thing to realize about WIP is that this protection is wholesale. You can’t apply it to some corporate documents and not others. It applies to endpoints, not individual pieces of data per se. And there are only two possible states for data on an endpoint that is protected by WIP: the data is either inside the fence (corporate) or outside it (personal).
Whereas there are many possible labels that can grant all types of permission on one document vs. another using Azure Information Protection or Sensitivity labels. Some labels may allow external collaboration, while others would be strictly confidential (internal only). Some labels may restrict the ability to export data or print, while others would allow full modify and export actions. Again, that granularity of control (which follows the data around no matter where it goes) is not something that belongs to the list of capabilities within WIP.
Hopefully that provides some clarity around whether you would use each tool and when. Personally I like WIP if your plan is to allow BYOD Windows 10 Devices. If not, and you are 100% corporate, then just require Device compliance using Conditional access. If the user were to leave the company, the understanding is that you would wipe the device. The whole device. If you need to wipe only corporate data from a device, WIP can be good for that.
By the way, I would still require device compliance in that case anyway, because you need to protect all of your endpoints whether they are BYOD or not, and you get richer features in WIP if the device is enrolled for MDM.
While some will use WIP and some will ignore it (which is fine) I think that every organization should be taking a hard look at Azure Information Protection and the newer “Sensitivity labels” in Office. They are incredibly powerful, and make a lot of sense moving into the future, versus traditional “container-based” access control lists, etc.
I will have some general guidance on this soon–my plan is to outline a very simple setup that I think many orgs could “get started” with, and build on from there with regard to Sensitivity labels.