Secure Data Collaboration using MIP Sensitivity Labels

e-Share Blog

Organizations are under increasing pressure to share more sensitive information with external parties to keep up with market demands while still complying with data protection rules and regulations. As a result, they turn to intelligence-based Secure Data Collaboration solutions that are contextually aware of data sensitivity.

Traditional approaches to secure the sharing of sensitive files, such as Data Loss Prevention (e.g., DLP), are flawed and do not meet the needs of organizations that are embracing cloud-based productivity solutions. These flaws manifest themselves in three principal ways:

  • File transfer, not sharing – Traditional approaches to secure file sharing, such as attempting to secure email attachments, result in files being given away forever. There are no controls available once the shared files are sent, let alone any ability to remove access to the file later.

  • Inflexible to the needs of the business AND security – Because files are shared without any controls, there is only one opportunity for the organization to decide if the file transfer is appropriate. Continuing with the email attachment scenario, a DLP system evaluates the content of file attachments when the file is being sent and either allows the user to send the email with the attachments to be sent or blocks the email. The binary nature of these choices results in data protections being diminished or the business being impacted. There is no win-win.

  • Modern Collaboration is not extended to external parties – Productivity suites such as O365 have drastically improved the productivity of workgroups who can now create, edit, review, and collaborate around a single copy of a shared file. But when it becomes necessary to bring clients, partners and suppliers into these collaborations, what do we do? Continuing with the email attachment scenario, we typically email the external party a COPY of the file. Collaborators then struggle to figure out which copy of the document has the most recent changes, in many cases needing to merge multiple documents to create a final draft.

Link-Based Secure Data Collaboration

Link-based modern collaboration

A modern approach to external file sharing and content collaboration, using links to share files, eliminates these flaws and provides the organization and users additional benefits.

·        Shared files are always under the organization’s control – With links, the data is never beyond your control until the recipient downloads the shared file (if that is enabled). Our clients’ experience is that about 80% of recipients will not download the file even given the permissions to do so. In most cases, users don’t need nor want a local copy of the file.

 

·        Business AND security both meet their objectives – Because file links can be expired anytime and with view-only sharing meeting the needs of most use cases, security teams now have the discretion to allow business users to share increasingly more sensitive data without compromising the organization’s obligation to protect sensitive data.

 

·        User productivity is greatly improved – Internal users and external parties can now collaborate on the same version of a shared file. No more version confusion! And links can be the basis for a Virtual Data Room, allowing for the bidirectional sharing of multiple files and the inclusion of various parties within the data room. 

Secure Data Collaboration using MIP Sensitivity Labels

e-Share’s MIP Data Protection Extender

Realizing the promise of link-based modern collaboration with external parties using M365 is possible with e-Share’s MIP Data Protection Extender. The MIP Extender allows e-Share to apply controls to externally shared files based on their MIP sensitivity label. e-Share now has a full understanding of the content, context, and user identities surrounding the sharing of sensitive content. This enables a real-time, intelligence-based approach to external file sharing and content collaboration.

 

e-Share MIP Integration

How does it work?

When an internal user initiates a Trusted Share, the e-Share MIP Extender evaluates the shared document and its container (i.e., SharePoint Online Site) for a MIP sensitivity label. If a label exists, e-Share will apply the org-defined sharing policy that is mapped to that sensitivity label. The sharing policy defines the recipient’s authentication requirements and rights (e.g., view only), the Trusted Share options (e.g., the ability of recipients to invite others), and is optionally and uniquely assigned to a sensitivity label.

 

If both a document and site label are present, e-Share will apply the policy associated with the highest priority label. The priority ordering of labels is performed within the M365 admin center and is automatically imported into e-Share by the MIP Extender. In practice, the highest priority label is more protective of the shared data (i.e., fewer rights with higher authentication requirements).

When the recipient accesses the shared file(s) using the provided Trusted Share link, the file’s label is once again evaluated by the MIP Extender, in real-time. This setting allows the recipient’s rights to be determined at the time and place when the risk to the shared data is greatest – at the time of data access. This setting is important, as the file’s content may have been changed since the file was initially shared. This situation is common when multiple parties are contributing to the content of shared files. It also accommodates Trusted Shares created from folders (i.e., a Virtual Data Room use case), where the folder’s content changes over time.

In the diagram, we see a user sharing a Public-labeled file from a Confidential-labeled SharePoint site (Step 1).  Consistent with our more restrictive (i.e., least privilege) approach to Secure Data Collaboration, the Confidential sharing policy is applied to the Trusted Share. This policy allows the recipient to view and download the file, with password-based authentication being required.

Between the time the file is shared and the time the file is accessed the content of the shared file changes such that the label is altered to Restricted (Step 2). Perhaps there is now PII within the file.

When the recipient attempts to access the shared file, the MIP Extender sees the new label and applies the sharing policy associated with the Restricted label (Step 3). This policy steps the recipient’s rights down to view only, steps up the authentication requirement to include MFA, and limits access to approved recipient domains. Perhaps this is a list of approved vendors or organizations with which an NDA exists. It could also be a disallow list of domains (e.g., gmail.com).

Recognizing that sensitivity labels are imperfect and could interfere with the legitimate sharing of files with external parties, the MIP Extender allows the constraints placed upon shared files to be optionally relaxed for an org-defined period (e.g., 48 hours) upon the request of the recipient and the approval of the Trusted Share owner. A web-based workflow for both the recipient and owner makes this easy.

This temporary access meets the needs of the business in sharing the file while allowing the data owner and organization some time to alter the recipient’s rights on a go-forward basis, alter the content of the shared files, or adjust the labels applied to the shared files.

Summary

MIP’s sensitivity labels and e-Share’s Secure Data Collaboration platform operate in concert via the MIP Data Protection Extender to enable easy but highly secure external file sharing and content collaboration with external parties. This allows MIP sensitivity labels to dynamically determine what data can be externally shared by whom, with whom, and with what rights. And because e-Share inherently requires nothing of the recipient other than an email address and a browser, e-Share extends MIP’s document protections and M365’s modern collaboration experience to anyone, anywhere.

If you would like to see a demo of e-Share’s Secure Data Collaboration in action, please contact us.