In this post we will break down sensitivity labels and then provide guidance on how to get started down your journey to utilizing retention and sensitivity labels.
In Part 1 of this series, we broke down why labels and classification are important, what retention is, and how retention labels work within Microsoft 365. We also went into some records management with labels and the power that type of label has.
How can you protect files vs just keeping them? The logic of keeping or deleting files is done through retention and the concept of protection is done through sensitivity labeling. Imagine the lifecycle of a sensitive file. Even if you are fully within the Microsoft 365 ecosystem there is the potential for data exfiltration or data loss by files.
Someone will create a file, modify it across different locations and then share it with others. That data should not be shared with people who should not have it regardless of the system it is hosted on. If it is accessed it should be monitored and managed.
Sensitivity labels allow you to classify and protect content within the content itself and it will stay persistent with that file regardless of the location. This allows users to continue to collaborate and let the sensitivity label support the protection. These labels are actual metadata written into the document. This means it travels with the document as it moves. This allows things like a DLP engine to read it or encryption to be applied.
With the sensitivy labels you can do such things as:
- Apply a watermark, header, and footer
- Enforce encryption
- Enforce alignment with Cloud App Security or MS based endpoint protection
Unlike retention labels which can only be applied within the browser UI, there is no browser UI for sensitivity labels. This type of information protection is looked at as agnostic to its container and its priority is content protection regardless of container. This means that all sensitivity labeling is done through the Microsoft 365 clients including PC, mobile and Mac.
Sensitivity labels are built and deployed like retention labels with one major difference. Retention labels you will apply to a container while sensitivity is applied to a user or group. This means you could build different labels for different user groups. Executives may need their own special labels while people on a shop floor could get their own. Since these labels are container agnostic, they become available when logging into and Microsoft 365 client.
Sensitivity labels can be applied:
- Prompt for a recommendation if certain information found within the working file
Another different that these labels have vs retention is the ability to do sub-labels. This means you can group one or more labels below a parent label. There may be multiple types of highly sensitive or confidential information. A common breakdown could be by regulation or business unit. Once you have child labels you should not choose a parent as a default label.
Microsoft Information Protection, Azure Information Protection, and Sensitivity Labels
Microsoft Information Protection (MIP) is a suite of tools that includes things like MCAS, DLP, WIP, Advanced Data Governance, Conditional Access, and Azure Information Protection (AIP). AIP is the cloud-based tool to classify, label and protect files beyond Microsoft Office 365 including on-premises and hybrid situations.
AIP has been around for years and has been the backbone of MS-based classification for protecting files. AIP is configured in Azure and does not require a Microsoft Office 365 license. When using AIP you will see the “Protect” action in the ribbon and have further functionality in File Explorer unlike the “Sensitivity” in the screenshot above.
AIP labelling is not going anywhere but Sensitivity Labeling, also known as Unified Labeling, is where the newest enhancements are being targeted.
As AIP has been around longer, it has features that the newer unified labeling solution in the Microsoft 365 security center does not have.
Both AIP and Sensitivity labels are available through a client to install on a user’s workstation. The AIP client and unified labeling client are 2 different installs. The unified labeling client is an update to the AIP client so they both cannot be installed on a workstation at once. Once the client is installed and the user logins to the client, users will be available to classify content. Newer versions of Office will include the unified labeling client built-in. What you can do to get ready for this is to migrate your AIP labels into unified labels (sensitivity).
Need to know for sensitivity labels
- Understand the licensing for AIP P1, P2 and AIP for Microsoft Office 365
- More information on choosing which AIP client to use
- AIP and Sensitivity (Unified) both at AD RMS for protection
- After you have migrated your labels you will use both AIP and Microsoft 365 admin areas to manage labels and their policies
- Both solutions can be used at the same time but only one client
- iOS, Android, and Mac for Office all require unified labeling as it is built-in vs AIP
- If you delete a sensitivity label the label is not removed from existing content
- More details on understanding Unified Labeling migration
Planning for using labels in Microsoft 365
The first thing to understand is there is no easy button getting started with labels. The technology of labeling will allow end-users to classify data which in turn can protect it or retain it but unless the user understands what those labels mean, there will be confusion. End users just want to get work done and not deeply understand company information management policies when working with a file.
The planning does start as administrators to understand the technology and the differences between the two primary types of labels and what their intention is for.
The next step is to identify which labels will be used. This is by far the most complex part because it requires a deep dive into the actual business needs, requirements, and overall end user’s understanding.
For example, you could have 1000+ record types you are tracking on-premises. That will not translate easily to retention labels because then you would be expecting your end-users to understand 1000+ different types of retention labels. In the case of sensitivity, if you are using a classification of red, yellow, and green, the end-users will need to fully be aware of the impact of labeling a file with a sensitivity classification. This could instantly restrict a piece of content via a protection template and break an existing collaboration experience they had.
I recommend a slower approach to adopting these classifications with a Crawl-Walk-Run strategy. A Crawl-Walk-Run strategy allows you to get started with this without having everything figured out. It then allows you for incremental improvements while still starting with some protection and retention which is better than nothing.
To get started with a Crawl-Walk-Run strategy for labeling:
- Create a document for each phase
- Document the current state of retention and protection
- Identify stakeholders and hold brainstorming workshops
- Educate the stakeholders on the new cloud based labeling
- Document something that can be done in the first 30 days within the Crawl document
- Update classification scheme to prepare for sensitivity
- Build how to documentation
- Test retention labels to understand user experience
- Import a file plan for labels
- Document plan for the next 180 days in Walk document
- Publish retention labels to select group
- Test encryption with sensitivity
- Migrate to unified if on AIP
- Document plan for the next year in Run document
- Auto-application of sensitivity or retention labels
- Disposition of records through M365
- Consistent monitoring of label usage
Valo Intranet makes it easy to have a beautiful site design straight out of the box! Want to learn how we can speed up your intranet project without sacrificing quality?