Sensitivity Labels in Various Microsoft Applications

Microsoft provides sensitivity labels as part of the comprehensive compliance and security features within Microsoft 365 and Microsoft Purview Information Protection. These labels classify and safeguard data, contributing to a secure and compliant data management framework.

The preservation of sensitive information through robust data governance and protection measures is paramount. Accurate classification and labeling of data play a pivotal role in guaranteeing that access to information is restricted to authorized individuals. Neglecting the implementation of these practices can lead to severe consequences such as data breaches, financial losses, and damage to an organization’s reputation.

Organizations grapple with data of varying sensitivity levels, ranging from information fit for public consumption, such as press releases, to confidential internal data like intellectual property (IP), mergers and acquisitions (M&A) details, and HR information. Additionally, there is data subject to regulatory requirements, including personally identifiable information (PII), healthcare data (PHI), and government and defense data like Controlled Unclassified Information (CUI).

Microsoft sensitivity labels serve as a valuable tool in classifying and identifying data based on its specific risk profile, enabling organizations to effectively manage and protect diverse types of information. The Microsoft Purview Information Protection (MPIP) is a comprehensive system of data protection measures that also manages the labeling process as a whole. MPIP can support third-party apps with label access, persistent sensitivity labels that stay on the data no matter where it is located, custom classification capabilities, and plenty of other advantages.

Sensitivity labels for Microsoft, Power BI, Outlook and SharePoint exist in the context of Microsoft 365 and offer plenty of benefits for its users, including:

  • Manage containers like Teams, Microsoft 365 Groups, and SharePoint sites with sensitivity labels.
  • Apply encryption measures to restrict unauthorized access to labeled content.
  • Extend sensitivity labels to third-party apps and services through the Microsoft Information Protection SDK, enabling third-party apps to read labels and apply protection settings.
  • Implement content markings such as headers, footers, and simple watermarks (e.g., ‘Confidential’) for clear identification.
  • Label and optionally encrypt meeting invites and responses, and enforce Teams-specific options for meetings and chats.
  • Facilitate content identification based on sensitivity levels for effective auditing and reporting.
  • Label files and schematized data assets (e.g., SQL, Azure SQL, Azure Synapse, Azure Cosmos DB, AWS RDS) in Microsoft Purview Data Map.

At the same time, the labeling system that Microsoft can offer is far from perfect. It has plenty of rather significant limitations that may not be acceptable for some users. These labels tend to break the integrity of digitally signed files (DocuSign), making the signature itself useless for all intents and purposes. The label in question would also be rather misleading if the data it is applied to needs to have different levels of security for different user categories or different data states.

This particular system is also not suitable for organizations that have strict regulations in terms of data ownership and data sovereignty – since Microsoft is a U.S. company that complies with the same jurisdiction, releasing information to the U.S. government at their first request. Additionally, MPIP’s labeling is not particularly effective when there is a need for multiple labels to be used (or if the company in question works with the defense/government). There are plenty of complex rules and regulations involved for this particular market, including ITAR, CUI handling, and plenty of others, so MPIP cannot always keep up.

In this context, it is easy to see how a third-party solution may be necessary for such use cases of data labeling and other security matters. A solution such as archTIS offers a great way to solve these labeling issues for affected companies. archTIS has introduced a distinctive solution that enhances Microsoft 365 (M365) content security through fine-grain, policy-based Attribute-Based Access Control (ABAC) and protection. Real-time policy execution occurs during access, allowing the application of conditional access and protection to files, emails, and chats.

This is achieved by leveraging Microsoft’s Metadata Partner Integration Program (MPIP) sensitivity labels. The collaboration between archTIS and Microsoft is reflected in archTIS’ membership in the Microsoft Intelligent Security Association. This affiliation is primarily attributed to the augmented compliance and security capabilities that archTIS contributes to Microsoft Purview Information Protection. The integration of archTIS’ solutions aims to fortify and extend the security and compliance features of Microsoft’s information protection offerings.

NC Protect is capable of applying various data protection policies as well as conditional access based on attributes (the aforementioned ABAC). It can operate with all kinds of classification metadata, including Azure AD user attributes, MPIP security labels, and more. NC Protect’s capabilities are quite vast and varied, including:

  • Support for multi-label classification, allowing documents to be tagged with unlimited labels to accommodate complex taxonomies.
  • The ability to automatically apply user-specific watermarks containing information such as name, date, time, and location based on sensitivity labels, headers, and footers, offering a deterrent against unauthorized sharing and a digital thumbprint for security incidents.
  • NC Protect extends its capabilities beyond Office files and Outlook emails to include PDFs, CAD files, images, text files, HTML files, SharePoint list items, events, and more.
  • ABAC policies in NC Protect enable access control and varied file-level protection based on the user’s location, nationality, and file sensitivity.

By extending data labeling and protection capabilities, NC Protect provides a more robust solution to address the handling requirements of sensitive data, catering to the needs of government, defense, and enterprise sectors. This ensures a comprehensive approach to data security, meeting stringent compliance standards and enhancing the overall protection of sensitive information within the M365 environment.

If you have any questions, please ask below!