Use sensitivity labels on all e-mail messages, use encryption and protection where warranted

Many organizations would like to apply encryption to all e-mail messages since it improves the information security posture. Is encrypting all messages the right way to go?

E-mail encryption is described as the process by which information is encoded so that only an authorized recipient can decode and consume the information. On top of this Microsoft Purview Information Protection (MIP) also provides effective protection after the content has been decrypted and opened. MIP provides both encryption and protection. For more information please read this document, we are only discussing Microsoft Purview Message Encryption in this blog post.

In the encryption statement above there is a challenge for modern workplaces where business systems like CRM, mailbox delegates as well as compliance, anti-malware systems and many other integrations cannot be automatically authorized without proper integration with the encryption system, since they are not the recipients of the immediate e-mail thread.

Another challenge is that if encryption gets in the way of the users, they will find ways to get around the system or the escalation will reach the board since productivity is impaired. Both cases will force you to produce a more effective plan.

Before attempting to encrypt all e-mails, start to ask yourself why? The most common reason why organizations want to encrypt everything is that they do not want to overwhelm end users with options and reduce the risk of mistakes. It is hard for users to determine the sensitivity or impact level of information shared. Considering the impact encryption will have on business processes encrypting all, will likely not provide the expected outcome of simplicity.

What information is commonly encrypted and protected, can classification be made simpler?

Please see the classification framework concepts on this page, Concepts - Classification labels | Microsoft Learn.

Confidential, Highly Confidential is where most organizations set the bar to encrypt and protect. Examples of Confidential can be proposals going to a customer, or internal conversations with regard to a confidential business proposal. While highly confidential is the secret recipe to help the organization get ahead of the competition, trade secrets can severely impact regulatory compliance, business value and reputation.

Public/General data is commonly only labelled not protected/encrypted so that DLP and other tools can determine the class of data. A key tool that organizations can use to help users correctly classify emails is auto labelling policies Automatically apply a sensitivity label in Microsoft 365 - Microsoft Purview (compliance) | Microsoft Learn.

If you select to encrypt Public/General data, consider having at least one label that doesn’t encrypt to allow for an internal exception. Utilize auto labelling that recommends/notifies users which labels to apply while working on a document on the client side.

To make this successful your labels needs to make sense to your users, and you need to equip them with the right level of guidance and training. For example, valid scenarios for when they can use non-encryption labels and why policy tips are showing.

What challenges do I need to consider if I want to encrypt all e-mails?

Here comes some learning from organizations that have encrypted most of the e-mail flow.

Shared Mailboxes used for internal and customer conversations

MIP encryption of e-mails, both Advanced Message Encryption and MIP Sensitivity labels configured with encryption can cause issues with existing shared mailbox processes.

• Users with delegated access to mailbox using groups, or delegations that are not setup to automatically map will be impacted.
  • For MIP/Template encrypted messages to work, both the shared mailbox and the user must have access to the information protection label.
  • Microsoft is working on shared mailbox delegation improvements to support group access to OME messages.
  • OWA allows for access to protected content since it can make use of trusted back-end services to validate access. You can select to completely block access to delegates.
    • For template-based labels please note that both the resource mailbox and the user need to have access.
  • Business applications accessing the mailbox to retrieve content.
    • We will address this later.

Mailbox delegates, e.g., user shared mailbox or folders using Outlook.

Mailbox delegates can be configured without any administrator interaction. MIP-encrypted content will not be readable by delegates from the Win32 Outlook client or OWA (OME messages). There is an exception if the user has direct permissions via the Template, they can open the message via Win32 Outlook (UDP/Do Not Forward/Encrypt Only they are not accessible).

Line of Business systems and custom applications

Line of business systems can be a bit more complex, both regular CRM products as well as your own custom applications.

• LoB systems that are running in the context of the user for uploads to the system will generally not require additional integration. Although most systems support encryption, they do not support protection. It is important to consider eDLP policies or similar to add protection to the web interface for CRM as an example.
• When it comes to LoB apps that are not running in the context of the user. You should integrate by using the MIP SDK.
• If your application has a dedicated mailbox where content is delivered. You can either use the MIP SDK or you can select to decrypt the content before delivery to the mailbox, using the DLP option “Remove message encryption and rights protection”.
• Another option if encryption becomes a problem for internal users using the LoB system is to utilize the Auto labelling option and recognize when something needs processing by the unsupported app and strip encryption and apply label only.             
• When the LoB system is sending messages you can either use the MIP SDK to encrypt messages or you can select to use Transport rules or DLP rules to apply protection.
• External business systems that are processing e-mails. Depending on how some of your business partners work they may hit challenges decrypting the messages.
  • Microsoft is working on a feature that will allow organizations that use custom brand templates to still deliver an inline viewable file to external organizations.
• When it comes to third party applications, you should turn to your software vendor to provide support by integrating the MIP SDK.

Make sure to have a flexible approach to these systems since blocking business systems will reflect badly on the project and cause large portions of the user groups unable to migrate. You have good options in transport to either remove protection or apply a different encryption based on your business needs. You may combine this with the data type included in the e-mail and set appropriate sensitivity label.

External organizations

When communicating with external parties there are two experiences depending on your settings. For Microsoft-based services, you can utilize the inline view of messages unless you are using a custom branding template to deliver messages. Microsoft plan to deliver a feature that will allow you to deliver messages with an inline view for custom templates. Note that the inline view doesn’t work with features such as revoke.

Older versions of tenant restrictions may interfere with protected messages. The new cross-tenant access settings should not cause the same issues. Read the documentation to learn more about cross-tenant access settings. This report can provide insights into cross-tenant activity.

 You may share a simple guide based on this with your business partners to educate them on how to open protected messages.

Security & Compliance

• eDiscovery is a key requirement in today’s enterprises. To fully search MIP-protected e-mails and attachments eDiscovery premium is required. Decryption in Microsoft Purview eDiscovery tools - Microsoft Purview (compliance) | Microsoft Learn
  • If Journaling is used in your organization, you can select to decrypt the journal messages. https://learn.microsoft.com/en-us/exchange/security-and-compliance/journaling/journaling#journal-reports-and-irm-protected-messages
• MIP-protected content and DLP and other communication monitoring products.
  • Microsoft’s built-in compliance tools fully support monitoring communication of MIP encrypted messages.
  • Many third-party vendors have support to scan MIP (RMS) encrypted content.
    • If not available, investigate if they can add support for the MIP SDK. As an alternative, you may have to remove protection and once processed add it back to the e-mail, using the DLP option “Remove message encryption and rights protection”.
  • Malware scanning, threat actors may attempt to use encrypted content to deliver malicious payloads.
    • Microsoft’s built-in security tools fully support the monitoring of MIP-encrypted content originating from any tenant.
    • Many third-party vendors support MIP-encrypted content and can scan the content.
      • If not available, investigate if they can add support for the MIP SDK. As an alternative, you may have to remove protection and once processed add it back to the e-mail, using the DLP option “Remove message encryption and rights protection”.
      • If the message comes from an external tenant and they have used their tenant to protect the content, you need to route it over M365 for content inspection.

An exception to the above is if your organization have deployed DKE Double Key Encryption (DKE) - Microsoft Purview (compliance) | Microsoft Learn. Microsoft do not have visibility into content that has been protected using DKE. You can use the Microsoft MIP SDK to allow for integration with DKE.

Conclusion

While it may seem tempting to encrypt all messages using Microsoft Purview Message Encryption, there is a significant risk that you will hit several of the challenges mentioned in this document. It is not as hard as with S/MIME where you must share private keys and use other methods to provide access. But it has a significant enough impact to end users for you to carefully plan your implementation.

You need to carefully balance user impact and organizational risk. By over-encrypting content you may inadvertently force users to incorrectly classify content to be able to fulfil their business functions. Increasing the risk for the very same content that you are attempting to protect.

Correctly labelling content after sensitivity and destination is important. So, if you haven’t started, enable it today, even without encryption it will still help you. Enable auto labelling on internal/external communications based on data that is sensitive to your environment, even without encryption it will help with visibility and build your knowledge to implement encryption effectively. Follow up using Activity Explorer and Content Explorer.

As always we look forward to your feedback!

Thank you,

Microsoft Purview Information Protection team.