Sensitivity Label is classifying and protecting document/email using the label. Now sensitivity Label available from Office 365 Security and compliance and it requires Office 365 E3/E5 license. Previously, same functionality available in Azure Information Protection (Still Azure Information Protection is available in Azure) and that required Azure Information Protection premium license.
Previously Azure Information Protection used to protect Office document (Word, Excel, PowerPoint, Email) from the windows machine. Now it’s one of part office 365 to help to protect the document from SharePoint Online, OneDrive, Exchange Online, Office Online. So, Labeling moving from Azure to Office 365 With E3/E5 License.
By default, when you create a new sensitivity label from Office 365 Security and compliance, it will create the same label into AIP. If you modify existing label in AIP, you can update modification to Sensitivity label using publish option. But if you modify existing sensitivity label, it will not update to AIP.
The administrator needs to create the label and publish label to Users/Group from office 365 Security and compliance. After publishing the label, the user can apply the label in Document/Email using Azure information Protection Unified label client. You can download the Unified label client from this link (download the AzInfoProtection_ul.exe file ). Coming soon sensitivity label option default along with office apps on Windows and Office online, so unified label client no longer required.
Note: Already inbuild sensitivity label option available in Mac (V 16.21.0+), iOS (V 2.21+), Android (V 16.0.11231+)
Administrator needs to create the label from Office 365 Security and compliance Classification label. And label orders are an important one, higher sensitive label in the lower order and low sensitive label in higher order. For Example: If you want only content marking with footer or header to classify the document (Without Encryption, DLP), so this label is low sensitivity label, that label must be in higher order.
Sensitivity label has the following features.
Note: Depends on the need, we can skip any above feature during the creation of Sensitivity Label.
Sensitivity Label using Azure Rights management to encrypt the data. Other than encryption it also has some important features that are Access duration, Offline access, File access permission. If document not more sensitive, we can skip the disable the Encryption. Azure Information Protection is also using Azure Rights managementto encrypt the data.
We can encrypt an only email or email and documents
We can define how long the labeled file can be accessed. After specific days file access has been expired, so user access has been disabled for this labeled file.
We can define user can access the offline for Never, Always or only for a number of days. if we define the number of days, user’s need to re-authenticate to file access after specific days.
We can define which users can access the file with specific permission.
Also, it has the following option to define the users to access the file.
It has following predefined permission level and we can define custom permission to access the file.
Note: if you enabled the encryption with specific people. Only those peoples will access the file. Others cannot able to access the file.
Mark the content used for classifying the documents (Word, Excel, PowerPoint) and email. It’s used by Header, Footer, Watermarking
Header and footer are available for documents and email. Watermarking only available for documents and not for email.
Data loss prevention (DLP) is used by Windows information protection to prevent the document accidental leakage, with or without applying encryption. WIP to prevent the copying to USB drives and prevent to sharing of the data to any non-work location Like a personal OneDrive, personal email accounts, social media.
This example prevents to send a file from the personal Gmail account.
Before going to see the DLP (WIP) in Sensitivity label, we need to check prerequisites of DLP (WIP) in Sensitivity label.
This example prevents to send a file from the personal Gmail account.
If you create a sensitivity label with Data loss prevention enabled. That label can be applied manually or apply automatically using auto labeling to document. Once label applied to document in windows 10 machine, Windows Defender Advanced Threat Protection automatically scan any DLP enabled document. Windows Defender ATP triggers the WIP policy. WIP policy protects the document.
Before going to see the auto labeling, we need to check prerequisites of auto labeling.
Note: Auto labeling function not available in other then windows OS like Mac, iOS, Android
Auto labeling working based on sensitive type information store (Credit card number, Account number) in the label. Unified labeling client will check when open the file, it will apply the label automatically or show the recommended message to change the label. It based on the configuration in the sensitivity label.
Now Label is created successfully, but that label will not reach the users in your organization. So, we need to publish the label and define who can access the label. This process called label policies. Using label policy, we can publish one or more label and we need to define which user can access this label and we can define which label is default label. Another important feature in label policy is User Justification if the user removes label or change label to low classification level, the user needs to provide the justification regarding this action.
Note: When you define label policy permission, you need to ensure label encryption permission users/group is existing in label policy permission.
It’s like to sensitivity label, Label policies order is help to priorities the policy. Higher priority label policy is shown in low order and lowest priority label is shown in higher order in the label policies.
Already Microsoft cloud app security is used for discovering and auditing the document from third-party apps like Box, Dropbox, Google suite. Now cloud app security supports sensitivity labeling. Using cloud app security (file policy), it will automatically apply the sensitivity label to documents in the third-party app. Based on the sensitivity label, it’s automatically applying the encryption to the document, so it will help to more protect your document in the third-party app location
We need to create new file policy from Control Policy File policy Governance and select the required app (Box, Dropbox, Google suite) and enable classification and select the required label.
Microsoft recently announced sensitivity label supporting SharePoint Online Document and this feature under private preview. In this private preview, it has the following features.
Microsoft recently announced sensitivity label supporting SharePoint Online site and this feature under private preview. In this private preview, we can classify site using the sensitivity label.
Sensitivity label supporting the following features in SharePoint Site.
You can apply the sensitivity label during site creation. Also, you can manage site sensitivity from SharePoint admin centerActive sites Select required site site properties Sensitivity.
More information refers the following links.https://docs.microsoft.com/en-us/Office365/SecurityCompliance/sensitivity-labels#protect-content-on-windows-devices-by-using-endpoint-protection-in-microsoft-intune
Your last visit:x