Data governance and protection are crucial in safeguarding sensitive information. Proper classification and data labeling is essential to ensure that the right people access the right information. Failure to implement these practices can result in data breaches, financial loss, and harm to an organization’s reputation. To help with this, Microsoft offers sensitivity labels that classify and protect data as part of the compliance and security capabilities of Microsoft Purview Information Protection in Microsoft 365.
This article explores the benefits and use cases of Microsoft sensitivity labels in Microsoft 365 and provides guidance on how to maximize their functionality and overcome limitations with third-party solutions.
What is a sensitivity label?
Every organization handles data that has different levels of sensitivity. Some of it is suitable for public consumption, like press releases; some is confidential to the organization, like intellectual property (IP), M&A, and HR information; and other data is subject to regulatory requirements, such as personally identifiable information (PII), healthcare data (PHI), government and defense data like CUI. Microsoft sensitivity labels help you classify and identify your data according to its risk profile.
The sensitivity label feature in Microsoft Purview Information Protection (MPIP) has several benefits, including:
- Support for custom classifications to meet your organization’s unique requirements for categorizing the different levels of sensitive content it stores and handles.
- Allows third-party apps and services to read and leverage the labels using clear text stored in the metadata of tagged files and emails.
- Persistent sensitivity labels stay with the content no matter where it is stored or saved.
How are sensitivity labels applied in Microsoft Office 365?
Users with an Office 365 Enterprise E3 license or above can manually apply sensitivity labels to their Office files and emails. Administrators can also configure these labels to automatically apply to Office files and emails with an Office 365 Enterprise E3 or Office 365 Enterprise E5 license. Anyone with an Office 365 license can access documents or emails secured with sensitivity labels as long as the sensitivity label grants them access.
Once labels are applied, users can see that the document is ‘tagged’ in Office apps (Word, Excel, PowerPoint and Outlook). However, the sensitivity labels are not visible to users from other organizations or guests.
What are sensitivity labels used for in M365?
Sensitivity labels can be used to tag data and apply a variety of protective actions. For example:
- Label content to identify its sensitivity level for auditing/reporting.
- Apply encryption to prevent unauthorized users from accessing the content.
- Apply content markings, including headers and footers and simple watermarks such as ‘Confidential.’
- Protect content in Office apps and third party apps and services. Supported by Word, Excel, PowerPoint, and Outlook on the Office desktop apps and Office on the web. Supported on Windows, macOS, iOS, and Android. Third party support for SalesForce, Box, or DropBox using Microsoft Defender for Cloud Apps.
- Manage containers, including Teams, Microsoft 365 Groups, and SharePoint sites.
- Protect meetings and chat by labeling (and optionally encrypting) meeting invites and any responses and enforce Teams-specific options for the meeting and chat.
- Extend sensitivity labels to Power BI to protect data saved outside the service.
- Extend sensitivity labels to assets in Microsoft Purview Data Map: Label files and schematized data assets such as SQL, Azure SQL, Azure Synapse, Azure Cosmos DB, and AWS RDS in Microsoft Purview Data Map.
- Extend sensitivity labels to third-party apps and services using the Microsoft Information Protection SDK, allowing third-party apps to read sensitivity labels and apply protection settings.
What are some of the limitations of Microsoft sensitivity labels?
While MPIP labels are incredibly versatile, there are some limitations:
- If your taxonomy requires more than a single label or your organization works with government and defense. Defense contractors must often augment out-of-the-box labeling and protection capabilities to satisfy their internal requirements and those for Controlled Unclassified Information (CUI), ITAR and other complex government and defense data protection mandates.
- If files have been digitally signed (for example, by DocuSign), applying an MPIP label will break the integrity of the file, and it will no longer be considered “signed.”
- If files need different protections for at-rest, managed devices, BYOD, and guest users.
- If data sovereignty or ownership is critical to an organization. Microsoft must comply with the rules of the U.S. jurisdiction and release information to the U.S. government when requested.
Augmenting MPIP Capabilities in M365 with NC Protect
archTIS has developed a unique solution for adding fine-grain policy-based attribute-based access control (ABAC) and protection to M365 content. Policies are run in real-time at the time of access to apply conditional access and protection to files, email and chats leveraging MPIP sensitivity labels. archTIS’ membership in the Microsoft Intelligent Security Association is largely based on the enhanced compliance and security capabilities it adds to Microsoft Purview Information Protection.
NC Protect ingests Microsoft Entra ID (formerly Azure Active Directory) user attributes, Microsoft Purview Information Protection (MPIP) sensitivity labels, other classification labels/metadata and custom attributes to apply conditional attribute-based access and data protection policies.
NC Protect seamlessly integrates with your existing Microsoft sensitivity labels in M365 to add capabilities to:
- Create Unlimited labels. Although Microsoft Purview technically allows for the creation of unlimited sensitivity labels, if the label applies encryption that specifies the users and permissions, there is a maximum of 500 labels per tenant. This is problematic for organizations in Defense and other regulated industries, which often quickly exceed this. NC Protect allows you to add unlimited additional labels to meet your classification needs while still allowing you to use your existing MPIP labels.
- Use multi-label classification. MPIP supports one label per document, which can be problematic if the data is associated with two or more categories. With NC Protect, you can tag documents with unlimited multi-labels to support complex taxonomies.
- Apply ABAC using sensitivity labels. NC Protect uses attribute-based access control to control access and apply file and email protection in real time. Your existing sensitivity labels can be incorporated along with any combination of attributes to control access and apply protection with NC Protect policies.
- Control access by geolocation/nationality: ABAC policies enable NC Protect to control access and apply different file-level protection based on the user’s location and/or nationality as well as the sensitivity of the file.
- Apply user-based watermarks. NC Protect can automatically apply watermarks containing information about the user/viewer, including name, date, time, location, etc., based on sensitivity labels, headers, and footers. This deters photos and provides a digital thumbprint in the event of a security incident.
- Employ At Rest and In Motion Encryption. Ensure data is encrypted at rest and whenever it moves across any external or internal networks automatically based on the policy.
- Protect non-Microsoft file types. NC Protect is not limited to Office files and Outlook Emails. It can tag, control access, and apply file-level protection to PDF, CAD, image, text, HTML files, SharePoint list items and events, and Office and Exchange emails.
- Control guest user access. Since NC Protect controls access at the file vs. the container level, you can use sensitivity labels to prevent guests from seeing or accessing sensitive content in a site or Team they are a member of.
- Honor and protect digitally signed documents. NC Protect and NC Encrypt do not break the integrity of a file, and all document signature technologies are supported.
Additionally, users can be forced to view sensitive documents in NC Protect’s secure web viewer for read-only access that prevents save as, copy/paste, and file downloads. All document interactions are logged and can be ported to Azure Sentinel via a free Connector in Azure Marketplace for upstream actions and analysis.
Microsoft Purview Information Protection & NC Protect Better Together
NC Protect enhances your M365 sensitivity labels with ABAC policy-driven access and security made possible by the product’s tight integration with Microsoft Purview Information Protection, Azure AD and Sentinel. It extends data labeling and protection capabilities, offering customers a more robust solution for tackling sensitive data handling requirements to meet government, defense and enterprise needs.
