Blog Post

Security, Compliance, and Identity Blog
7 MIN READ

Announcing new Microsoft Information Protection capabilities to know and protect your sensitive data

sanjay_kidambi's avatar
Sep 22, 2020

Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution to protect sensitive data across an organization. MIP provides a unified set of capabilities to know your data, protect your data, and prevent data loss across Microsoft 365 apps (e.g. Word, PowerPoint, Excel, Outlook), services (e.g., Microsoft Teams, SharePoint, and Exchange), on-premises, devices, and third-party apps and services. 

 

Additional sensitive information types

Foundational to Microsoft Information Protection are its classification capabilities—from out-of-the-box sensitive information types to machine learning trainable classifiers to automatically finding and classifying sensitive content at scale. MIP already offers 100+ out-of-the-box sensitive information types. To further enhance coverage and accuracy, we will be rolling out many more information types, in a phased manner. Today we are announcing world-wide general availability for 45 new and 11 improved sensitive information types, covering key regulations in Asia Pacific and in Europe.

These additional sensitive information types include:

  • Eight new sensitive information types that help enable you to be compliant with key regulations across Japan, Australia, and New Zealand
  • Twenty-two new and 11 improved sensitive information types for EU National ID and EU Tax ID that ensure better compliance with GDPR. We expect these new and enhanced sensitive information types to significantly reduce ‘false positives’ and make it more predictable for customers to refine their policies
  • Fifteen new sensitive information types for Value Added Tax (VAT) numbers and Personally Identifiable Information (PII) for Europe Union, Russia, and Ukraine to improve compliance with GDPR and other regulations

 

Automated on-premises network discovery

Many organizations have data stored not just in cloud services like Microsoft 365, but also in on-premises data stores. Microsoft Information Protection provides the unified labeling scanner to automatically discover, classify, label and protect sensitive content at rest in your on-premises file shares and SharePoint sites. The scanner works according to the policies you have configured in the Microsoft 365 compliance center.  Every month, billions of on-premises files are scanned and protected  using the scanner by hundreds of organizations to comply with internal policies and external regulations.

Previously, customers who used the on-premises scanner had two main challenges. The first was knowing where to start their data discovery journey. This challenge is compounded by the fact that new content and new file shares are constantly being created by end users. The second challenge was determining how to prioritize scanning among the thousands of repositories holding petabytes of data. We’re excited to address both challenges with the public preview of the network discovery feature within scanner. This new feature can be used as a first step into on-premises data discovery, to automatically map file shares, and identify overexposed file shares to prioritize for scanning. The network discovery feature of scanner enables you to target IP ranges and specific IPs to find shares hosted in these networks and use access information to identify overexposed file shares.

 

Protecting sensitive information in Office apps

Microsoft Information Protection’s sensitivity labels are central to how your business-critical data can be protected. You can create a sensitivity label and associate it with protection like encryption and visual marking. Label-applied protection will persist with the file wherever it goes.

You can start by empowering your users to manually label documents and emails in Office apps across a wide range of platforms (Windows, Mac, iOS, Android and web). Learn more here on how to enable this manual labeling. However, users may forget to label manually or label sensitive data inaccurately. Relying on users alone to manually classify corporate data using labels is not sufficient. The scalable approach is to automatically discover, label, and protect sensitive data. To help you achieve that, we announced the general availability of automatic labeling in SharePoint, OneDrive, and Exchange

It is equally important for your users to be informed when they are working with sensitive data while creating or editing Office documents. So, we integrated automatic labeling directly into Microsoft 365 applications to meet users where they do their work. Word, Excel, PowerPoint and Outlook applications recommend or automatically apply a sensitivity label to a file if it includes sensitive corporate or personal information, even as the document is being edited. When a sensitivity label is recommended or automatically applied, a policy tip is shown.

 

Figure 1: Policy tip for automatically applied label shows up when user adds sensitive content

 

We’re excited to announce that general availability of automatic labeling is rolling out in Word, Excel, PowerPoint and Outlook applications on Windows in the Current Channel. This functionality is already generally available in Office apps on the web. You can configure auto labeling for Office apps in Microsoft 365 compliance center.

We also added a feature in Word on Windows to make it easier to understand what content in your document caused a label to be recommended by highlighting and itemizing the detected sensitive terms, similar to incorrect spelling. We haven’t brought this experience to other Microsoft 365 applications or platforms yet, and we’re interested to hear what you think of this feature.

 

 

Figure 2: Sensitive terms highlighted in Word on Windows

 

Figure 3: Sensitive terms listed in the Editor pane in Word on Windows

 

Customer Key support

We are happy to announce upcoming Customer Key support for Microsoft Teams. Microsoft helps keep Teams data safe by encrypting it while at rest in Microsoft datacenters. Now we are extending this capability to enable customers to add a layer of encryption using their own keys for Teams, similar to Exchange Online, SharePoint Online and OneDrive.  Learn more.

 

Double key Encryption

Microsoft 365 apps and services provide built-in data protection by encrypting customer data, both at rest and in transit. For added protection, we encrypt customer data at the application layer and provide flexible key management solutions. Customers can further protect their data based on content using Microsoft Information Protection’s classification and labeling capabilities. Adding to our data protection solutions, we are pleased to announce the general availability of Double Key Encryption for Microsoft 365. Double Key Encryption helps organizations, especially in highly regulated industries, protect their mission-critical data - a small volume of their overall data.

With Microsoft Information Protection, we provide customers with a broad set of capabilities that helps them meet most of their data protection needs for organization-wide data. With Double Key Encryption for Microsoft 365, we now enhance the depth of protection for highly sensitive data to meet specialized requirements. Double Key Encryption enables you to protect your highly sensitive data while keeping full control of your encrypted data. It uses two keys to protect your data—one key is in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, giving you full control over the privacy and security of your data. With Double Key Encryption, you can maintain full control of your key, enjoy consistent labeling experiences, and simplify deployment.

If you are using unified labeling client for classifying in Word, Excel and PowerPoint apps on Windows, you can apply sensitivity labels that protect your data using Double Key Encryption. If you are using the unified labeling scanner to label files on-premises at scale, you can now apply sensitivity labels that protect data using Double Key Encryption. Double Key Encryption now also offers expanded file format support to cover pdf, txt files and more, not just Office file formats.

 

In addition Microsoft has partnered with Thales to manage the keys in your organization’s control by using a Thales Luna HSM, which you own, control and meets FIPS 140-2 Level 3 high assurance NIST standard. Please read more about this powerful integration here.

 

Getting started

Here’s information on licensing and on how to get started with the capabilities announced today:

  • Sensitive information types are available as part of Microsoft 365 E3 and Microsoft 365 E5. Please note the additional sensitive information types announced today will be available for immediate use within Data Loss Prevention for Microsoft 365 services, Communication Compliance, Information Governance, Records Management and in Microsoft Cloud App Security. They will become available on AIP unified labeling client and on-premises scanner, Endpoint Data Loss Prevention & Microsoft 365 apps in the near future
  • Network discovery feature is available as part of Microsoft 365 E5. To get started download the latest preview release of the scanner or upgrade your existing scanner deployment. Once on-premises scanner setup is completed, use this PowerShell cmdlet to create the network discovery service and create new network scan job that contains list of the IP ranges you would like to scan
  • Automatic classification and labeling in apps and services is part of Microsoft 365 E5 and Office 365 E5
  • Double Key Encryption (DKE) is available as part of Microsoft 365 E5 and Office 365 E5 suite. To get started with DKE, navigate to GitHub to clone this repository and set up the service. You can also learn more about DKE here

Please watch our videos to learn more about MIP and get a deeper understanding of many of the capabilities outlined here. Check out our latest announcements in data loss prevention, customer value created by our partners using MIP SDK and our compilation of past product announcements for Information Protection and Governance solution area.  To learn more about Microsoft Compliance and access technical training, visit the Virtual Hub today.

If you don’t already have a Microsoft 365 E5 license, make sure to sign up for a trial.

As we all learn how to navigate in this challenging time, Microsoft has made available additional resources to help. For more information about how to secure your organization in this time of crisis, make sure to visit our Remote Work site.

 

Maithili Dandige, Principal Group Program Manager, Microsoft Information Protection

 

Updated May 11, 2021
Version 7.0