Home
Microsoft

Microsoft Information Protection now extends beyond Rights Management

Overview

Microsoft Information Protection helps you discover, classify, label and protect your sensitive information – wherever it lives or travels. We have typically offered sensitivity-label driven protection of individual files via our Rights Management Service (RMS). RMS offers encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs. We have typically offered such protection via both cloud key (Microsoft managed and bring-your-own-key (BYOK) or on-prem managed (HYOK based).

 

Some customers seek a solution that allows them to use this label-based protection capability to implement additional controls and leverage existing encryption and DLP technologies. We’ve heard your feedback and we are now shipping two additional protection capabilities.

 

Label-based S/MIME encryption and signing

With Office 365 Message Encryption (OME), your organization can send and receive encrypted email messages between people either inside or outside of your organization. Office 365 Message Encryption works with Outlook.com, Yahoo!, Gmail, and other email services.

 

While we prefer that you use OME because it’s the simplest and most common secure collaboration solution, we understand that you may have made investments in an S/MIME infrastructure in the past.

 

Starting now, customers that use S/MIME as their email signing or encryption option for email collaboration can replace the act of manually applying S/MIME by using sensitivity labels that automate applying S/MIME encryption within the Outlook app running the Azure Information Protection client. This new capability allows organizations that have already deployed a functional S/MIME infrastructure to provide a more consistent end-user experience by using a standard Microsoft Information Protection label for all their classification and protection needs.

 

For example, organizations can now allow users to send emails to their external partners using a “Confidential\B2B” classification label when the policy behind the label happens to be the application of S/MIME encryption.send and recieve.png

 

 

Figure 1. Alice shares a contract using mail and                                         Figure 2. Partner receives an email that is encrypted using
applies “Confidential \ B2B” label that triggers                                          S/MIME  
S/MIME protection

 

When your users are comfortable with the new Microsoft Information Protection labeling experience, you can simply migrate from the existing S/MIME deployment to the seamless secure collaboration based on Office 365 Message Encryption with a single click change in your label policy.

 

More on how you can enable this can be found at Configure a label to apply S/MIME protection in Outlook.

 

Label-based Information Protection on Windows 10

As you may know, we announced the public preview of our Information Protection capabilities on Windows 10 endpoints in September 2018. As part of the unified labeling and protection experience, our goal is to ensure that our broad set of information protection solutions can understand labels attached to documents and emails and apply the appropriate policy-based actions, even beyond what’s provided by Azure Information Protection or RMS. With this new capability, Windows 10 devices can read, understand and act on sensitivity labels in documents and automatically apply Windows Information Protection (WIP) policy on work data, no matter how it reaches a managed PC.

 

This extends information protection on managed Windows devices and endpoints and helps protect labeled files from accidental leakage, with or without applying encryption. For example, Windows can understand that a Word document residing on a user’s computer has a label of “Confidential”, and as a result of the policy defined by the organization, apply a Windows Information Protection (WIP) policy to prevent the copying or sharing of the data to any non-work location from that device (such as personal email accounts, social channels, etc.).

 

image005.png

Figure 3. M365 Security & Compliance Center – Endpoint data loss prevention configuration page

 

image007.png

Figure 4. End user attempts to copy a Confidential file to their personal OneDrive
 and the copy action is blocked by Windows Information Protection

 

image009.png

Figure 5 End user attempts to copy a Confidential file to their personal OneDrive
 and warned by Windows Information Protection

 

To read more about how to enable this feature. see How Windows Information Protection protects files with a sensitivity label.

 

Next steps

We are excited to take Microsoft Information Protection classification, labeling and protection beyond just the traditional Rights Management, and helping customers utilize many different forms of protection.  We would love to get your feedback on these recently introduced capabilities and learn more about other high priority needs that you may have. We encourage you to try the new features  and join our ever growing Yammer community.

 

7 Comments

Thanks for that great update! 

Occasional Contributor

Great update!

Hi @Denis Mizetski, Thanks for sharing the latest update.

Occasional Visitor

Hi @Denis Mizetski ,

thanks for sharing this update. I'm wondering if the SMIME encryption can also kick in when I attach a labelled document to an e-mail without specifically labelling the e-mail?

Microsoft

Yes it can. You can define that mail gets its label from the attachment (if you have number of them the one with the highest sensitivity take precedence) and then set S/MIME as action for this label.

New Contributor

"Starting now, customers that use S/MIME as their email signing or encryption option for email collaboration can replace the act of manually applying S/MIME by using sensitivity labels that automate applying S/MIME encryption within the Outlook app running the Azure Information Protection client."

 

@Denis Mizetski Does the above mean that this is exclusively for Outlook on Windows running the Azure IP client? With your broader direction of natively integrating the labeling capabilities of Azure IP into Outlook on Mac, iOS and Android (and with Windows coming), I'm wondering if it is more generally available to those platforms too. Thanks.

Microsoft

Just the customers that use AIP add-in in outlook. No plans for this being taken to native labeling experience right now.