Secure Data Collaboration using MIP Sensitivity Labels

e-Share Blog

Organizations are under increasing pressure to share more sensitive information with external parties to keep up with market demands while still complying with data protection rules and regulations. As a result, they turn to intelligence-based Secure Data Collaboration solutions that are contextually aware of data sensitivity.

Traditional approaches to secure the sharing of sensitive files, such as Data Loss Prevention (e.g., DLP), are flawed and do not meet the needs of organizations that are embracing cloud-based productivity solutions. These flaws manifest themselves in three principal ways:

  • File transfer, not sharing – Traditional approaches to secure file sharing, such as attempting to secure email attachments, result in files being given away forever. There are no controls available once the shared files are sent, let alone any ability to remove access to the file later.

  • Inflexible to the needs of the business AND security – Because files are shared without any controls, there is only one opportunity for the organization to decide if the file transfer is appropriate. Continuing with the email attachment scenario, a DLP system evaluates the content of file attachments when the file is being sent and either allows the user to send the email with the attachments to be sent or blocks the email. The binary nature of these choices results in data protections being diminished or the business being impacted. There is no win-win.

  • Modern Collaboration is not extended to external parties – Productivity suites such as O365 have drastically improved the productivity of workgroups who can now create, edit, review, and collaborate around a single copy of a shared file. But when it becomes necessary to bring clients, partners and suppliers into these collaborations, what do we do? Continuing with the email attachment scenario, we typically email the external party a COPY of the file. Collaborators then struggle to figure out which copy of the document has the most recent changes, in many cases needing to merge multiple documents to create a final draft.

Link-Based Secure Data Collaboration

Link-based modern collaboration

A modern approach to external file sharing and content collaboration, using links to share files, eliminates these flaws and provides the organization and users additional benefits.

·        Shared files are always under the organization’s control – With links, the data is never beyond your control until the recipient downloads the shared file (if that is enabled). Our clients’ experience is that about 80% of recipients will not download the file even given the permissions to do so. In most cases, users don’t need nor want a local copy of the file.


·        Business AND security both meet their objectives – Because file links can be expired anytime and with view-only sharing meeting the needs of most use cases, security teams now have the discretion to allow business users to share increasingly more sensitive data without compromising the organization’s obligation to protect sensitive data.


·        User productivity is greatly improved – Internal users and external parties can now collaborate on the same version of a shared file. No more version confusion! And links can be the basis for a Virtual Data Room, allowing for the bidirectional sharing of multiple files and the inclusion of various parties within the data room. 

Secure Data Collaboration using MIP Sensitivity Labels

e-Share’s MIP Data Protection Extender

Realizing the promise of link-based modern collaboration with external parties using M365 is possible with e-Share’s MIP Data Protection Extender. The MIP Extender allows e-Share to apply controls to externally shared files based on their MIP sensitivity label. e-Share now has a full understanding of the content, context, and user identities surrounding the sharing of sensitive content. This enables a real-time, intelligence-based approach to external file sharing and content collaboration.


e-Share MIP Integration

How does it work?

When an internal user initiates a Trusted Share, the e-Share MIP Extender evaluates the shared document and its container (i.e., SharePoint Online Site) for a MIP sensitivity label. If a label exists, e-Share will apply the org-defined sharing policy that is mapped to that sensitivity label. The sharing policy defines the recipient’s authentication requirements and rights (e.g., view only), the Trusted Share options (e.g., the ability of recipients to invite others), and is optionally and uniquely assigned to a sensitivity label.


If both a document and site label are present, e-Share will apply the policy associated with the highest priority label. The priority ordering of labels is performed within the M365 admin center and is automatically imported into e-Share by the MIP Extender. In practice, the highest priority label is more protective of the shared data (i.e., fewer rights with higher authentication requirements).

When the recipient accesses the shared file(s) using the provided Trusted Share link, the file’s label is once again evaluated by the MIP Extender, in real-time. This setting allows the recipient’s rights to be determined at the time and place when the risk to the shared data is greatest – at the time of data access. This setting is important, as the file’s content may have been changed since the file was initially shared. This situation is common when multiple parties are contributing to the content of shared files. It also accommodates Trusted Shares created from folders (i.e., a Virtual Data Room use case), where the folder’s content changes over time.

In the diagram, we see a user sharing a Public-labeled file from a Confidential-labeled SharePoint site (Step 1).  Consistent with our more restrictive (i.e., least privilege) approach to Secure Data Collaboration, the Confidential sharing policy is applied to the Trusted Share. This policy allows the recipient to view and download the file, with password-based authentication being required.

Between the time the file is shared and the time the file is accessed the content of the shared file changes such that the label is altered to Restricted (Step 2). Perhaps there is now PII within the file.

When the recipient attempts to access the shared file, the MIP Extender sees the new label and applies the sharing policy associated with the Restricted label (Step 3). This policy steps the recipient’s rights down to view only, steps up the authentication requirement to include MFA, and limits access to approved recipient domains. Perhaps this is a list of approved vendors or organizations with which an NDA exists. It could also be a disallow list of domains (e.g.,

Recognizing that sensitivity labels are imperfect and could interfere with the legitimate sharing of files with external parties, the MIP Extender allows the constraints placed upon shared files to be optionally relaxed for an org-defined period (e.g., 48 hours) upon the request of the recipient and the approval of the Trusted Share owner. A web-based workflow for both the recipient and owner makes this easy.

This temporary access meets the needs of the business in sharing the file while allowing the data owner and organization some time to alter the recipient’s rights on a go-forward basis, alter the content of the shared files, or adjust the labels applied to the shared files.


MIP’s sensitivity labels and e-Share’s Secure Data Collaboration platform operate in concert via the MIP Data Protection Extender to enable easy but highly secure external file sharing and content collaboration with external parties. This allows MIP sensitivity labels to dynamically determine what data can be externally shared by whom, with whom, and with what rights. And because e-Share inherently requires nothing of the recipient other than an email address and a browser, e-Share extends MIP’s document protections and M365’s modern collaboration experience to anyone, anywhere.

If you would like to see a demo of e-Share’s Secure Data Collaboration in action, please contact us.

4 Ways To Measure Secure Data Collaboration

One of the most important things you can do as a leader when trying to implement change is to measure the impact of that change through key performance indicators (KPI). While organizations have spent years tuning financial KPIs and even security KPIs (e.g., risk), not much discussion has been had about KPIs to measure Secure Data Collaboration. We are proposing four KPIs that would allow organizations to understand the effectiveness and adoption of Secure Data Collaboration.

One of the biggest challenges with KPIs is that there is no shortage of data. We were recently reminded of this by an information security and collaboration leader who often must report to executives that:

“the KPI should show me what we want users to be doing more of and the
kind of behavior we are trying to change.

With that guidance in mind, these are the four KPIs that we propose to measure Secure Data Collaboration. 


KPI #1: Are we keeping sensitive information in our control?

% of Restricted data in our full control

The metric: Measures the percentage of files downloaded from a trusted file share (e.g. SharePoint) when shared externally, based on the data’s sensitivity.

With Secure Data Collaboration sitting at the center of security and collaboration, we believe it is essential that organizations understand whether they maintain control over their most sensitive information. While some organizations may want to block all downloads, that kind of control may not meet the needs of the business. We recommend having visibility on whether your most sensitive data (e.g., labeled as “Restricted”) stays in your control. This course of action allows organizations to meet the business need to share sensitive information with external parties.


KPI#2: Are our users using Microsoft 365 for external collaboration? 

External Collaboration Activity using M365

The metric: Measures the number of share creators as well as internal and external users actively collaborating within Microsoft 365.


Organizations are making significant investments in selecting Microsoft 365 (M365) as their platform for modern collaboration. However, some companies only use M365 internally while relying on point solutions for external file sharing, thereby missing out on the additional return of their M365 investment. Therefore, measuring how much your modern collaboration platform is being used to collaborate externally will provide great insight into how much return you are getting on your overall investment. If you are concerned about turning on external sharing or guest access in Microsoft 365, then feel free to give us a call, we can address the underlying security, privacy and compliance concerns 😊.

KPI #3: What type of data is being shared with external collaborators?

% of data shared externally by sensitivity

The metric: Measures files shared by the sensitivity-level with external recipients.

One of the challenges that information security often faces is reporting on a KPI that is easy to understand. We recommend a data classification strategy that be easily consumed by anyone (red = highly sensitive, orange more sensitive, yellow = somewhat sensitive, green = not sensitive). The goal of Secure Data Collaboration is to allow sensitive information to still be exchanged with external collaborators. As a result, this metric does not aim to sound a fire alarm if highly sensitive data is shared externally. Its purpose is to bring awareness to executives of potential exposure. Many industries have extremely tight rules around what type of data can be shared externally (e.g., Aerospace and Defense – ITAR); however, you still need to share data and collaborate with external parties. Better understanding the potential exposure allows companies to implement appropriate controls to enable Secure Data Collaboration policies.


KPI #4: What is our overall level of engagement with external parties? (customers, partners, suppliers) 

External Collaboration Engagement

The metric: Measures the type of file activity when information is shared. No file activity by the user would represent low engagement, file views by the user would be classified as a medium level of engagement and file opens and uploads by the user would be deemed as a higher level of engagement. 

Implementing a KPI dashboard will generate reams of data about the file-sharing activities of your customers. Analyzing this data will allow you to gain better insights into whether your customers are actively engaged with your organization and their potential revenue.

Bringing it all together


We would love to hear your feedback about the KPIs we are proposing in this Secure Data Collaboration dashboard. Please share any other ideas that you think could help effectively measure Secure Data Collaboration. If you would like more information on how to get access to these kinds of metrics, please feel free to reach out and we would be happy to walk you through it. Below is what a sample KPI dashboard could look like as a slide to report back up to your executives.

Secure Data Collaboration Dashboard

5 Lessons Learned Deploying Microsoft Information Protection (MIP) Labeling

Microsoft Information Protection

Like our customers, e-Share strives to leverage all the modern collaboration tools we have at our disposal. As a Microsoft customer eager to deploy MIP labeling, we have optimized the business value attained with current licensing and cost-justified our adoption journey for productivity tools as well as Microsoft Information Protection.

With this suite of Microsoft products, we want to use OneDrive, SharePoint, and Teams not just internally but also for external collaboration. As we looked to achieve our own Secure Data Collaboration goals, it became clear that we could benefit from the adoption of MIP labeling. As a team, e-Share has deep experience building and managing data loss prevention and data classification products. Naturally, with this kind of background, deploying our own labeling taxonomy should be a breeze – right?

After a few more meetings than we anticipated, we had defined a taxonomy that we could all agree on and met the requirements of our SOC 2 driven Information Classification Policy. Here is where our e-Share taxonomy landed using MIP labeling:

  1. Public:
    • This is information that is suited, and in many cases created, for public disclosure.
    • No control policies but requires business justification if a user selects this label.
  2. Confidential:
    • This is information that is related to everyday business activities, such as product and marketing documentation
    • This is our default label
    • All Confidential data must stay within e-Share’s control, which means e-mail attachments will be stripped (using e-Share’s Secure Mail Gateway) and placed into a trusted share on SharePoint
    • External users will not require a login to the trusted share
    • However, every action (open, edit, download, etc.) will be logged and be visible in our Microsoft Power BI analytics reports
  3. Restricted (includes all Confidential policies):
    • This is all customer custodial data and customer data
    • Login to the trusted share will be required from external users (OpenID, OTP)
    • Anything regulated found with auto-labeling would be tagged at this level
  4. Private (includes all Restricted policies):
    • This is information that only a minimal amount of people should have access to
    • Investor, financial, internal-only documents
    • Allow list (limited to 20-30 people/domains)
    • Headers and footers are applied

So, what did we learn deploying MIP labeling?

1) Always start with why – then talk about the labels.

With labeling, people tend to overly focus on the actual names of the labels, resulting in many hours/weeks/months/years of discussion. However, if you are not clear on the “why,” there will be an endless loop of frustration. In this case, the why is what controls do we want to have? At e-Share, since we use our product, the discussion focused on the kinds of access we will grant external recipients to our Trusted Shares based on the label. To accomplish this, you need to think hard about who you interact with the most daily and compartmentalize policies to those categories. This then leads to lesson number two.


2) Do not overcomplicate (KISS – Keep It Simple, Stupid)
As organizations start to think about their labels and classify the different groups and privileges, things can get complicated quickly. Therefore, the moment you feel discussions getting out of control, communicate the importance of simplification. Less is more. Strive to find the few things that can make a real difference.  If you try and build a label with sub-labels for every interaction that might exist, the taxonomy will become overburdened and useless. e-Share decided to stay very simple (which is hard) and stick to four labels with no sub-labels. It is essential to consider the level of maturity and readiness of your end-users regarding data protection. Giving users too many options will cause analysis/paralysis, diminishing the classification process.

3) Consider how this will impact sharing with external users.
Often labeling discussions get focused on data inventory and internal data flows, but perhaps more importantly, you should consider how these labels will impact external sharing. As you can see from the e-Share taxonomy, our data classification policy is more heavily focused on what this means for external users and their access to our data. Of course, it is vital that certain internal information is kept private (e.g., investor relations). So we accounted for that with a label that provides policy granularity at a user/domain level.

4) Focus on newly created data first, then data at rest and in motion.
Even as a small company, e-Share has a ton of unstructured data; however, we started our labeling journey with data that is newly created and deployed MIP to all users in the business first. From there, we used Microsoft Cloud App Security to apply document labels to existing files in OneDrive and SharePoint so that we can control access to any and all externally shared files based on label policies (e.g., Restricted files require a user login through OpenID).

5) Defaults can help when used correctly.
There is always a great debate around using default labels. If you are not careful, they can create complacency and confusion. For e-Share, as you can see, we opted to stay away from an Internal label and instead used Confidential as our default label. We have found that 90% of our data is Confidential, so let us not get in our employees’ way. However, if they downgrade to Public, we have a business justification workflow to ensure the downgrade is warranted and tracked.

Microsoft Information Protection labeling is something to consider for every company which uses Microsoft products and collaborates externally. If you want to talk more about labeling and even see a demo of our taxonomy in action, we would be happy to walk you through it. Please click here to contact us