Secure Data Collaboration using MIP Sensitivity Labels

e-Share Blog

Organizations are under increasing pressure to share more sensitive information with external parties to keep up with market demands while still complying with data protection rules and regulations. As a result, they turn to intelligence-based Secure Data Collaboration solutions that are contextually aware of data sensitivity.

Traditional approaches to secure the sharing of sensitive files, such as Data Loss Prevention (e.g., DLP), are flawed and do not meet the needs of organizations that are embracing cloud-based productivity solutions. These flaws manifest themselves in three principal ways:

  • File transfer, not sharing – Traditional approaches to secure file sharing, such as attempting to secure email attachments, result in files being given away forever. There are no controls available once the shared files are sent, let alone any ability to remove access to the file later.

  • Inflexible to the needs of the business AND security – Because files are shared without any controls, there is only one opportunity for the organization to decide if the file transfer is appropriate. Continuing with the email attachment scenario, a DLP system evaluates the content of file attachments when the file is being sent and either allows the user to send the email with the attachments to be sent or blocks the email. The binary nature of these choices results in data protections being diminished or the business being impacted. There is no win-win.

  • Modern Collaboration is not extended to external parties – Productivity suites such as O365 have drastically improved the productivity of workgroups who can now create, edit, review, and collaborate around a single copy of a shared file. But when it becomes necessary to bring clients, partners and suppliers into these collaborations, what do we do? Continuing with the email attachment scenario, we typically email the external party a COPY of the file. Collaborators then struggle to figure out which copy of the document has the most recent changes, in many cases needing to merge multiple documents to create a final draft.

Link-Based Secure Data Collaboration

Link-based modern collaboration

A modern approach to external file sharing and content collaboration, using links to share files, eliminates these flaws and provides the organization and users additional benefits.

·        Shared files are always under the organization’s control – With links, the data is never beyond your control until the recipient downloads the shared file (if that is enabled). Our clients’ experience is that about 80% of recipients will not download the file even given the permissions to do so. In most cases, users don’t need nor want a local copy of the file.

 

·        Business AND security both meet their objectives – Because file links can be expired anytime and with view-only sharing meeting the needs of most use cases, security teams now have the discretion to allow business users to share increasingly more sensitive data without compromising the organization’s obligation to protect sensitive data.

 

·        User productivity is greatly improved – Internal users and external parties can now collaborate on the same version of a shared file. No more version confusion! And links can be the basis for a Virtual Data Room, allowing for the bidirectional sharing of multiple files and the inclusion of various parties within the data room. 

Secure Data Collaboration using MIP Sensitivity Labels

e-Share’s MIP Data Protection Extender

Realizing the promise of link-based modern collaboration with external parties using M365 is possible with e-Share’s MIP Data Protection Extender. The MIP Extender allows e-Share to apply controls to externally shared files based on their MIP sensitivity label. e-Share now has a full understanding of the content, context, and user identities surrounding the sharing of sensitive content. This enables a real-time, intelligence-based approach to external file sharing and content collaboration.

 

e-Share MIP Integration

How does it work?

When an internal user initiates a Trusted Share, the e-Share MIP Extender evaluates the shared document and its container (i.e., SharePoint Online Site) for a MIP sensitivity label. If a label exists, e-Share will apply the org-defined sharing policy that is mapped to that sensitivity label. The sharing policy defines the recipient’s authentication requirements and rights (e.g., view only), the Trusted Share options (e.g., the ability of recipients to invite others), and is optionally and uniquely assigned to a sensitivity label.

 

If both a document and site label are present, e-Share will apply the policy associated with the highest priority label. The priority ordering of labels is performed within the M365 admin center and is automatically imported into e-Share by the MIP Extender. In practice, the highest priority label is more protective of the shared data (i.e., fewer rights with higher authentication requirements).

When the recipient accesses the shared file(s) using the provided Trusted Share link, the file’s label is once again evaluated by the MIP Extender, in real-time. This setting allows the recipient’s rights to be determined at the time and place when the risk to the shared data is greatest – at the time of data access. This setting is important, as the file’s content may have been changed since the file was initially shared. This situation is common when multiple parties are contributing to the content of shared files. It also accommodates Trusted Shares created from folders (i.e., a Virtual Data Room use case), where the folder’s content changes over time.

In the diagram, we see a user sharing a Public-labeled file from a Confidential-labeled SharePoint site (Step 1).  Consistent with our more restrictive (i.e., least privilege) approach to Secure Data Collaboration, the Confidential sharing policy is applied to the Trusted Share. This policy allows the recipient to view and download the file, with password-based authentication being required.

Between the time the file is shared and the time the file is accessed the content of the shared file changes such that the label is altered to Restricted (Step 2). Perhaps there is now PII within the file.

When the recipient attempts to access the shared file, the MIP Extender sees the new label and applies the sharing policy associated with the Restricted label (Step 3). This policy steps the recipient’s rights down to view only, steps up the authentication requirement to include MFA, and limits access to approved recipient domains. Perhaps this is a list of approved vendors or organizations with which an NDA exists. It could also be a disallow list of domains (e.g., gmail.com).

Recognizing that sensitivity labels are imperfect and could interfere with the legitimate sharing of files with external parties, the MIP Extender allows the constraints placed upon shared files to be optionally relaxed for an org-defined period (e.g., 48 hours) upon the request of the recipient and the approval of the Trusted Share owner. A web-based workflow for both the recipient and owner makes this easy.

This temporary access meets the needs of the business in sharing the file while allowing the data owner and organization some time to alter the recipient’s rights on a go-forward basis, alter the content of the shared files, or adjust the labels applied to the shared files.

Summary

MIP’s sensitivity labels and e-Share’s Secure Data Collaboration platform operate in concert via the MIP Data Protection Extender to enable easy but highly secure external file sharing and content collaboration with external parties. This allows MIP sensitivity labels to dynamically determine what data can be externally shared by whom, with whom, and with what rights. And because e-Share inherently requires nothing of the recipient other than an email address and a browser, e-Share extends MIP’s document protections and M365’s modern collaboration experience to anyone, anywhere.

If you would like to see a demo of e-Share’s Secure Data Collaboration in action, please contact us.

What does riding a horse have to do with modern collaboration?

File Sharing Encryption

Recently we had a great debate at e-Share about file encryption and secure data collaboration. The discussion centered around a claim that if you are a modern collaborator, you do not need to encrypt shared files since links are used to access files stored in the cloud. 

How we came to a consensus was with an analogy about riding horses and driving cars.

Before the car was invented, people rode horses. Intelligent horseback riders would wear helmets or protective gear to ensure they would not get hurt if they fell off the horse. After the car was invented, people did not wear helmets while driving since the car’s frame would give them protection. Cars have become even safer than riding a horse over the past century, with the advent of seat belts and airbags. Most people other than race car drivers do not wear helmets because it is redundant.  

Traditional file sharing and content collaboration is like riding a horse. The sharing of data is built around an on-premises file transfer solution. Using encryption (putting a helmet on) makes sense as the data (the horseback rider) is exposed and needs protection as the data leaves the premises. Modern collaboration is like driving a car; the file is already and always stored in a trusted container (e.g., SharePoint Online), and adding encryption (wearing a helmet) is redundant. The critical thing to focus on is ensuring the correct privileges are established to access the information (the keys to access the locks to get in and start the car).

 

The other great thing about modern cars is their navigation system. They can track where you are always going. The same is true with modern collaboration. Link-based sharing allows you to ensure your data can be audited and always tracked at the time of access, not just at the time of sharing. This is a critical distinction. With secure links, the file is never downloaded by the recipient, and therefore you are not securing a file; you are controlling access through a least privilege model.  

Show the difference between modern and traditional sharing

But people still ride horses…

Yes, horses are still ridden for work, transportation, and leisure but cars have replaced horses as the most popular form of transportation. We see a similar evolution in organizations. While most of the business is shifting to modern collaboration that protects data with a Secure Data Collaboration strategy, some people still share and download files. We do not argue that applying encryption (putting on a helmet) is a bad idea in those instances.

 

Please let us know if you would like to learn more about how your company can implement a solution that allows secure data collaboration. You can find us down at the stables trying to convince the modern collaborator holdouts. Giddy-up! 

5 Lessons Learned Deploying Microsoft Information Protection (MIP) Labeling

Microsoft Information Protection

Like our customers, e-Share strives to leverage all the modern collaboration tools we have at our disposal. As a Microsoft customer eager to deploy MIP labeling, we have optimized the business value attained with current licensing and cost-justified our adoption journey for productivity tools as well as Microsoft Information Protection.

With this suite of Microsoft products, we want to use OneDrive, SharePoint, and Teams not just internally but also for external collaboration. As we looked to achieve our own Secure Data Collaboration goals, it became clear that we could benefit from the adoption of MIP labeling. As a team, e-Share has deep experience building and managing data loss prevention and data classification products. Naturally, with this kind of background, deploying our own labeling taxonomy should be a breeze – right?

After a few more meetings than we anticipated, we had defined a taxonomy that we could all agree on and met the requirements of our SOC 2 driven Information Classification Policy. Here is where our e-Share taxonomy landed using MIP labeling:

  1. Public:
    • This is information that is suited, and in many cases created, for public disclosure.
    • No control policies but requires business justification if a user selects this label.
  2. Confidential:
    • This is information that is related to everyday business activities, such as product and marketing documentation
    • This is our default label
    • All Confidential data must stay within e-Share’s control, which means e-mail attachments will be stripped (using e-Share’s Secure Mail Gateway) and placed into a trusted share on SharePoint
    • External users will not require a login to the trusted share
    • However, every action (open, edit, download, etc.) will be logged and be visible in our Microsoft Power BI analytics reports
  3. Restricted (includes all Confidential policies):
    • This is all customer custodial data and customer data
    • Login to the trusted share will be required from external users (OpenID, OTP)
    • Anything regulated found with auto-labeling would be tagged at this level
  4. Private (includes all Restricted policies):
    • This is information that only a minimal amount of people should have access to
    • Investor, financial, internal-only documents
    • Allow list (limited to 20-30 people/domains)
    • Headers and footers are applied

So, what did we learn deploying MIP labeling?

1) Always start with why – then talk about the labels.

With labeling, people tend to overly focus on the actual names of the labels, resulting in many hours/weeks/months/years of discussion. However, if you are not clear on the “why,” there will be an endless loop of frustration. In this case, the why is what controls do we want to have? At e-Share, since we use our product, the discussion focused on the kinds of access we will grant external recipients to our Trusted Shares based on the label. To accomplish this, you need to think hard about who you interact with the most daily and compartmentalize policies to those categories. This then leads to lesson number two.

 

2) Do not overcomplicate (KISS – Keep It Simple, Stupid)
As organizations start to think about their labels and classify the different groups and privileges, things can get complicated quickly. Therefore, the moment you feel discussions getting out of control, communicate the importance of simplification. Less is more. Strive to find the few things that can make a real difference.  If you try and build a label with sub-labels for every interaction that might exist, the taxonomy will become overburdened and useless. e-Share decided to stay very simple (which is hard) and stick to four labels with no sub-labels. It is essential to consider the level of maturity and readiness of your end-users regarding data protection. Giving users too many options will cause analysis/paralysis, diminishing the classification process.

3) Consider how this will impact sharing with external users.
Often labeling discussions get focused on data inventory and internal data flows, but perhaps more importantly, you should consider how these labels will impact external sharing. As you can see from the e-Share taxonomy, our data classification policy is more heavily focused on what this means for external users and their access to our data. Of course, it is vital that certain internal information is kept private (e.g., investor relations). So we accounted for that with a label that provides policy granularity at a user/domain level.

4) Focus on newly created data first, then data at rest and in motion.
Even as a small company, e-Share has a ton of unstructured data; however, we started our labeling journey with data that is newly created and deployed MIP to all users in the business first. From there, we used Microsoft Cloud App Security to apply document labels to existing files in OneDrive and SharePoint so that we can control access to any and all externally shared files based on label policies (e.g., Restricted files require a user login through OpenID).

5) Defaults can help when used correctly.
There is always a great debate around using default labels. If you are not careful, they can create complacency and confusion. For e-Share, as you can see, we opted to stay away from an Internal label and instead used Confidential as our default label. We have found that 90% of our data is Confidential, so let us not get in our employees’ way. However, if they downgrade to Public, we have a business justification workflow to ensure the downgrade is warranted and tracked.

Microsoft Information Protection labeling is something to consider for every company which uses Microsoft products and collaborates externally. If you want to talk more about labeling and even see a demo of our taxonomy in action, we would be happy to walk you through it. Please click here to contact us

Top 3 Reasons Secure Data Collaboration is Disrupting Information Security

Secure Data Collaboration

Companies interested in adopting modern file-sharing and collaboration solutions typically consider two choices.

The first choice is to stay the course, with company security the paramount concern. By making it difficult and time-consuming to share information, this option impacts the level of collaboration conducted by the organization, which minimizes productivity. 

The second choice is to choose the course of full speed ahead as the company encourages sharing information and fostering collaboration. This strategy makes it easy for employees to collaborate within and outside the organization, ramping up productivity and hopefully revenue. The danger of this choice is dramatically increasing the chance of sensitive data loss (e.g., intellectual property) while also failing to comply with global data protection regulations.

However, there is a third choice, one that does not hinder data loss prevention efforts while allowing as much collaboration as possible. This choice is called secure data collaboration, and it is emerging as an information security strategy for our modern age.

What is Secure Data Collaboration?

Secure Data Collaboration (SDC) is sharing data between two parties securely and productively. BAE systems has a great definition: Secure Data Collaboration and Dissemination is a type of electronic information sharing capability in which two or more parties can each securely exchange their data with each other in an encrypted software environment – for collaboration on projects, for example, or dissemination of sensitive information – while always maintaining control of their data.

The key here is that SDC is not “encrypting the data itself” nor “preventing collaboration.” SDC is securely exchanging data in an environment that is already secure and globally adopted (e.g., Microsoft Teams, SharePoint Online, OneDrive).

Before every organization in the world accelerated to the cloud in 2020, one might argue that these environments were not that accessible; how many Global 2000 organizations deployed and used OneDrive globally? Fast forward to 2021, and in the past year, the adoption of M365 accelerated faster than anyone could have predicted. As a result, most organizations have access to these secure cloud containers and are now ready to become modern collaborators. It is during this transition to modern collaboration that SDC will disrupt traditional information security solutions, and here are the top 3 reasons why:

  1. Traditional information security solutions were built on an assumption of prevention: Locking data down or stopping data from leaving the organization are disabling collaboration, not enabling it. This attitude does not work for modern collaborators who want to accelerate productivity and service delivery for their customers. However, SDC is built on the assumption that organizations want to share data with 3rd parties; they need help managing the access controls to the secure container (e.g., Microsoft Teams).

  2. Secure Data Collaboration is built from the cloud for the cloud: Information Rights Management (IRM) and Data Loss Prevention (DLP) were initially built to support traditional enterprises, mainly operating on-premises. Modern collaboration demands security solutions that are purpose-built from the cloud and for the cloud. Collaboration is constantly changing, and on-premise solutions are not adaptive. SDC requires a solution that assumes change.

  3. Productivity will always outweigh security: This has been an ongoing debate since the dawn of information security; however, the last year has proven that organizations will do whatever it takes to ensure their employees can remain productive. We thought organizations that would take another five years to “go digital” did it in weeks and accepted that the security controls would be playing a bit of catch-up. Traditional information security solutions that continue to put roadblocks in front of productivity will no longer cut it. SDC is focused on truly striking that balance for its users.

If you would like to learn how e-Share can deliver a modern solution that secures your company data while enabling employee collaboration, please contact us to arrange a demo. The e-Share team will be writing more about secure data collaboration  in the coming weeks, and we are excited to share more developments on this topic.