Home
Microsoft

Across Microsoft Information Protection solutions, our goal is to provide a comprehensive set of capabilities to help you protect your sensitive data throughout its entire lifecycle – across devices, apps, cloud services and on-premises. With the exponential growth of data and increasing data mobility, it’s critical to implement an information protection strategy that not only enables you to meet your internal security objectives, but also address new and emerging compliance and privacy requirements. We’ve recently released several new capabilities to help you discover, classify & label, protect and monitor your sensitive information – here’s a quick roundup of the latest news.  

 

You can also check out this video to see some of the highlights in action:

 

 

A unified approach to data classification and label management

In order to effectively apply policy-based protection and controls to your sensitive data, you need to be able to inspect and reason over documents and emails. We provide a unified approach to data classification across our information protection and data governance solutions. There are over 90 out-of-the-box sensitive information types that you can use to detect common types of data, such as financial data, PII or health-care related information. You can also create and customize your sensitive information types (such as detecting employee ID numbers that are unique to your organization). Our classification engine is leveraged across services – including Azure Information Protection, Microsoft Cloud App Security, Advanced Data Governance and Office 365 Data Loss Prevention – enabling consistent classification outcomes for the purpose of applying labels, protecting information and enforcing data policies.

 

In addition to a consistent approach to data classification, we also provide a unified experience for configuring and managing labels – both sensitivity labels for the purpose of apply protection policies and retention labels for the purpose of applying data governance policies. In late 2018 we released a unified label management experience in the Office 365 Security & Compliance Center. Customers have been using this to create and configure their sensitivity labels and retention labels, set label policies and migrate existing labels from the Azure portal (for Azure Information Protection customers). The recently released Microsoft 365 security center and compliance center gives admins an enhanced experience and a dedicated workspace to manage Microsoft 365 security and compliance solutions, including sensitivity labels and retention labels.

 

The New Microsoft 365 Security Center.pngThe new Microsoft 365 security center and compliance center (rolling out now) provides a centralized workspace to manage your Microsoft 365 security and compliance solutions, including management of your sensitivity labels and retention labels.

 

We’ve also recently announced two new retention capabilities, including the general availability of file plan manager, which helps you migrate complex retention hierarchies into Office 365, and a new assessment of Office 365’s ability to meet SEC 17a-4 requirements around immutability.

 

New sensitivity labeling capabilities built into Office apps – across platforms

We want to make it easy for end-users to apply sensitivity labels to their documents and emails – without interrupting their workflow or productivity. We recently announced the availability of end-user driven labeling capabilities built natively into Office apps on Mac, iOS and Android. This enables users to assign the appropriate sensitivity label while creating or editing documents and emails – such as “Highly Confidential” when the file contains company secrets. Based on the policies defined by your company, sensitivity labels can result in several actions, such as encryption, rights restrictions or adding visual markings stamped to the document. The experience is consistent and familiar across Office applications.

 

M&A Plan.pngApply sensitivity labels in Office apps on Mac – encryption, rights restrictions and visual markings can be applied, based on your label policy

Easily apply the same sesnitivity.pngEasily apply the same sensitivity labels in Office mobile apps on iOS and Android

 

Learn more about the native labeling experience in our blog.

 

We’re also announcing an updated public preview of the Azure Information Protection client that supports unified labeling. The Azure Information Protection unified labeling client gets it sensitivity labels and policy settings from the Security & Compliance Center or the Microsoft 365 security center (as mentioned earlier). This is particularly useful for existing Azure Information Protection customers who want to evaluate and test the unified labeling and protection capabilities in Office apps on Windows (Word, PowerPoint, Excel and Outlook). The original public preview of the Azure Information Protection unified labeling client supported several features, such as end-user driven manual labeling, and the new updated public preview version now includes recommended labeling, automatic labeling and other customization options. Learn more about the supported features or read our product documentation.

 

 

Apply sensitivity labels.pngApply sensitivity labels to Office apps on Windows using the Azure Information Protection unified labeling client (in preview)

 

Enhanced data discovery and protection across your on-premises repositories

The Azure Information Protection scanner is used by customers all over the world to discover, classify, label and protect sensitive information that resides in their on-premises file servers. Based on customer feedback to provide additional capabilities to make it easier and more efficient to deploy and manage the Azure Information Protection scanner at scale, we recently released a new management and operational UI.

 

The management UI (currently in public preview) helps you manage scanner configuration and scanned repositories – all in one central place within the Azure portal. You can configure sensitive information types that you want to discover, set file types to be scanned, set default label settings along with other configuration options.

 

Azure Information Protection Scanner.pngAzure Information Protection scanner profiles management page enables admins to set scanner configuration options

We also recently announced the general availability of a new operational UI which makes it easier to stay on top of Azure Information Protection scanner operations, such as monitoring the status of all scanner nodes, get the latest scanning statistics, initiate on-demand incremental scans or run full rescans. Learn more about the latest Azure Information Protection scanner UI experience in our blog or review the product documentation.

 

New classification methods to automatically detect sensitive credential information in documents

While we provide over 90 out-of-the-box sensitive information types that you can use to detect common types of data, a frequent customer request has been the ability to automatically detect passwords and other credential types that users have recorded or pasted in unprotected files. For example, sometimes users and admins use Word or Excel to store a list of usernames and passwords they use for applications and services. We’re announcing the public preview of the first group of credential types that we can automatically detect – focusing on Azure secrets and SQL credentials. These new sensitive information types are coming first to Azure Information Protection and will be coming soon to Office 365. Similar to other sensitive information types, you can configure your policy to recommend a sensitivity label to the user or automatically apply a label and protection settings. Read more about the credential types supported in our blog.

 

Credential information.pngCredential information in a document is automatically detected; sensitivity label is recommended or automatically applied

 

Deeper visibility into the sensitive data landscape across your organization

The information protection lifecycle wouldn’t be complete without the ability to understand your sensitive data landscape. Within the new Microsoft 365 security center (and compliance center), the new Label analytics page (currently in preview), provides the starting point for you to better understand label usage across your organization. You can quickly see the overall activity of sensitivity labeling during the past 30 days, the distribution of labels used (such as how many “Highly Confidential” labels were applied), along with the location where labels were applied (such as Word, Excel, PowerPoint, File Explorer).

 

Label Analytics.pngLabel analytics (preview) in the Microsoft 365 compliance center gives you an overview of labeled documents and emails – for both retention labels and sensitivity labels

 

For a deeper view into sensitivity label activity, you can go the Azure Information Protection portal. In late 2018 we announced the public preview of Azure Information Protection analytics, which gives you insights into classified, labeled and protected documents across your organization. There have been several updates to the preview experience over the past couple of months. Information from Windows computers running Windows Defender ATP is now included. Additional activity information is also included, such as which users have accessed a specific labeled document and whether a document label has been upgraded or downgraded by a user. You can learn more in the product documentation. We are targeting general availability in early Q2 CY19, so stay tuned.

 

Activity Details.png

 

Extend visibility into sensitive information in Windows endpoints

While more and more data lives in cloud services, a significant amount of important data also resides on end-users’ devices. Endpoints represent a key control point for your information protection strategy – especially since devices are often the entry point for sophisticated attacks and data breaches. Windows Defender Advanced Threat Protection (Windows Defender ATP), Microsoft’s endpoint protection platform, can now understand Microsoft Information Protection sensitivity labels – providing visibility into sensitive data on endpoints, protect data based on its content and help you respond to post-breach malicious activity that involves sensitive data.

 

This integration enables Azure Information Protection analytics to show information on labeled data on Windows devices (as reported by Windows Defender ATP). This help gives admins better visibility into sensitive information residing on a given endpoint and investigates and mitigate security threats on potentially compromised machines.

 

The Azure Information.pngThe Azure Information Protection Data discovery dashboard shows labeled files discovered on endpoints by Windows Defender ATP; along with a device risk calculation to help direct further investigation

Learn more about the latest integration between Windows Defender ATP and Microsoft Information Protection in our blog.

 

Partners are extending Microsoft Information Protection experiences to their own apps and services

At the RSA Conference in 2018 we announced the public preview of the Microsoft Information Protection SDK, which became generally available in September 2018. Since then, we’ve made several updates, and our partners are developing a diverse set of integrations – ranging from endpoint DLP solutions, classifying and labeling, to reporting on data that has been labeled and protected. With the Microsoft Information Protection SDK, we now have a comprehensive cross-platform SDK that covers Windows, Linux, macOS, iOS and Android. More details on partner integrations are available here. Download the Microsoft Information SDK and get started!

 

Getting started and looking ahead

We encourage you to start evaluating and deploying these new capabilities. Start using the unified labeling experience to configure and deploy your sensitivity labels. Use the native labeling experience in the Office apps on Mac, iOS and Android to empower users to label and protect their documents and emails. Enable Windows users to do the same by using the Azure Information Protection unified labeling client (preview). Configure Windows Information Protection and Windows Defender ATP to help protect sensitive data on Windows endpoints. Gain visibility into sensitive data across your environment using the Label analytics preview in the Microsoft 365 security center and go deeper with Azure Information Protection analytics.

 

You can also engage with us and the community on Yammer or Twitter and provide additional feedback on UserVoice.

1 Comment
Regular Visitor

Great article @Gagan Gulati  - I note that the policies that publish the sensitivity labels are limited to users and groups whereas retention labels can be targeted to sharepoints sites, onedrive etc.  At Ignite, the presentations showed an additional Sensitivity label column in SharePoint and default settings when provisioning a site.  I cannot find any reference to this function on the Roadmap - is this still a planned feature - if so when are we likely to see it hit our tenants?  Without this feature I think many of us will struggle to get true value out of the labels - my data governance team are screaming out for this.