Some of you have heard me advocate for setting up information protection with the data itself. Some recent announcements by Microsoft show that the company is pushing to make information protection labels sufficiently simple and robust to work for most organizations.
Protect the Data Where it Lives
Let’s recap how we got here. (Sherman, set the WayBack machine for…) Way back when, we protected information by building a wall around it (hello, firewall). References to moats and castles were all the rage. We thought that we could leave the data unprotected inside the firewall, as long as our perimeter defenses were strong enough.
I suppose if you’re going to talk about castles, it’s only a matter of time before someone shows up with a Trojan Horse. With a “trust everyone inside the wall” security model, the Bad Guys figured out that if they could just get inside the firewall they could do whatever they wanted. Other extensions of the walled garden idea were rolled out (hello, Remote Desktop Protocol). But even today, a lot of the security battle is being fought over identity and access management—getting into the castle.
Today, we talk a lot about “software defined perimeters” and a “zero trust” model. Increasingly, we’re concluding that the data must protect itself.
Information Protection Starts with Labeling Your Content
To protect your information in any kind of systematic way, you must create and apply a consistent set of labels to the content. Then you must define what actions will be taken for content with a given information protection label. Actions could include blocking the forwarding of an email, encrypting a document, making a document read-only, warning a user, etc.
We’re already familiar with another kind of labeling—email retention tags. More and more organizations are setting up email retention policies. They do this by defining a set of email retention tags (generally related to time since the email was received) and an associated set of actions. For instance, email older than two years might be moved to an archive, or deleted.
The Problems with Information Protection Labels
Setting up information security by use of information protection labels sounds great. It’s akin to that other Holy Grail many organizations pursue: content management. So why do organizations keep asking us for help in both areas? The simple answer: because it’s hard.
Applying information protection labels is hard for a couple of reasons.
- Consistency. You want to have the same information protection label applied to the same kind of content, regardless of who applies the label. “Sensitive” should mean the same regardless of who applies the label.
- Complexity. I would have said “information protection label proliferation” but that’s not as pithy.
Imagine this scenario. A committee forms to generate a set of information protection labels and the actions that those labels will generate. There’s not quite agreement on what constitutes “Confidential,” so the group decides to add “Sensitive.” And “Potentially Embarrassing.” And “OK for Executive Management to Know, But Not for Rank and File.” Now we have a bunch of information protection labels and associated actions. They’re hard to remember. And they’re harder to apply… consistently.
There’s a third problem (especially for content management): what to do about applying information protection labels to all the content we’ve already generated. I’ll make the economist’s assumption that there is no existing content, to simplify the situation. But even so, the first two problems are enough to slow down or stop organizations from implementing information protection labels.
Automation Can Help with Information Protection Labels
Back to Microsoft. They just announced that they are including Information Protection plans with Office 365 E3 and E5 subscriptions. Go read the article, if only to enjoy looking up “lacuna.” The E3 plan will likely get the “Standard” Information Protection plan; the E5 plan will get the “Advanced” plan. (More in a minute on why you’ll want to upgrade to E5, so you can get the Advanced plan.)
Where Microsoft is heading (and it’s not all the way there yet) is a world where Outlook and Office apps will either automatically apply an information protection label based on what’s in the email or document, or they will display a tip encouraging the user to apply the label.
I’m not a fan of asking users to apply labels. First, there’s that consistency thing. Some won’t apply labels at all. Some will apply different labels for the same content. This is where automation comes in. Let the application decide what information protection label to apply, based on the conditions you’ve specified! (And imagine the AI-fueled world where the information protection label conditions are determined by something more than a set of keywords and Boolean operators.)
And where does automated application of labels live? You guessed it: the Advanced Information Protection plan in the E5 SKU.
Where We Are Now with Information Protection Label Application
We can apply information protection labels now, but there are some significant limitations.
First, the Office apps don’t yet have labeling built into them. For now, you can accomplish this with the Azure Information Protection client. Think of it as an add-in.
Second, the Azure Information Protection client only works on Windows devices. iOS, Android and Mac support are coming, but not here today. This leaves mobile as a huge gap in an organization’s Information Protection plan.
Experiment Now and Roll Out Later
I’d advise waiting for Microsoft to close the current gaps in information protection label application before you roll out Information Protection on a broad scale. (And by the way, that includes delivering a labeling approach that is consistent across Office, SharePoint and OneDrive. Yes, they’re working on it.)
Don’t just file this in your “revisit in six months” folder. There’s enough functionality to begin playing around with Information Protection today. Try developing a small set of information protection labels and associated actions. See how well these labels work in encompassing the kinds of content your organization creates. Rinse and repeat. If you take this kind of Agile approach to defining a set of information protection labels and associated actions (warn, encrypt, delete, etc.) you’ll be able to focus on implementation once Microsoft delivers all the elements of a consistent labeling and information protection service.