Like our customers, eShare strives to leverage all the modern collaboration tools we have at our disposal. As a Microsoft customer eager to deploy MIP labeling, we have optimized the business value attained with current licensing and cost-justified our adoption journey for productivity tools as well as Microsoft Information Protection. With this suite of Microsoft products, we want to use OneDrive, SharePoint, and Teams not just internally but also for external collaboration. As we looked to achieve our own Secure Data Collaboration goals, it became clear that we could benefit from the adoption of MIP labeling. As a team, eShare has deep experience building and managing data loss prevention and data classification products. Naturally, with this kind of background, deploying our own labeling taxonomy should be a breeze – right? After a few more meetings than we anticipated, we had defined a taxonomy that we could all agree on and met the requirements of our SOC 2 driven Information Classification Policy. Here is where our eShare taxonomy landed using MIP labeling:
1. Public:
• This is information that is suited, and in many cases created, for public disclosure.
• No control policies but requires business justification if a user selects this label.
2. Confidential:
• This is information that is related to everyday business activities, such as product and marketing documentation
• This is our default label
• All Confidential data must stay within eShare’s control, which means e-mail attachments will be stripped (using eShare’s Secure Mail Gateway) and placed into a trusted share on SharePoint
• External users will not require a login to the trusted share
• However, every action (open, edit, download, etc.) will be logged and be visible in our Microsoft Power BI analytics reports
3. Restricted (includes all Confidential policies):
• This is all customer custodial data and customer data
• Login to the trusted share will be required from external users (OpenID, OTP)
• Anything regulated found with auto-labeling would be tagged at this level
4. Private (includes all Restricted policies):
• This is information that only a minimal amount of people should have access to
• Investor, financial, internal-only documents
• Allow list (limited to 20-30 people/domains)
• Headers and footers are applied
So, what did we learn deploying MIP labeling?
1) Always start with why - then talk about the labels.
With labeling, people tend to overly focus on the actual names of the labels, resulting in many hours/weeks/months/years of discussion. However, if you are not clear on the “why,” there will be an endless loop of frustration. In this case, the why is what controls do we want to have? At eShare, since we use our product, the discussion focused on the kinds of access we will grant external recipients to our Trusted Shares based on the label. To accomplish this, you need to think hard about who you interact with the most daily and compartmentalize policies to those categories. This then leads to lesson number two.
2) Do not overcomplicate (KISS - Keep It Simple, Stupid).
As organizations start to think about their labels and classify the different groups and privileges, things can get complicated quickly. Therefore, the moment you feel discussions getting out of control, communicate the importance of simplification. Less is more. Strive to find the few things that can make a real difference. If you try and build a label with sub-labels for every interaction that might exist, the taxonomy will become overburdened and useless. eShare decided to stay very simple (which is hard) and stick to four labels with no sub-labels. It is essential to consider the level of maturity and readiness of your end-users regarding data protection. Giving users too many options will cause analysis/paralysis, diminishing the classification process.
3) Consider how this will impact sharing with external users.
Often labeling discussions get focused on data inventory and internal data flows, but perhaps more importantly, you should consider how these labels will impact external sharing. As you can see from the eShare taxonomy, our data classification policy is more heavily focused on what this means for external users and their access to our data. Of course, it is vital that certain internal information is kept private (e.g., investor relations). So we accounted for that with a label that provides policy granularity at a user/domain level.
4) Focus on newly created data first, then data at rest and in motion.
Even as a small company, eShare has a ton of unstructured data; however, we started our labeling journey with data that is newly created and deployed MIP to all users in the business first. From there, we used Microsoft Cloud App Security to apply document labels to existing files in OneDrive and SharePoint so that we can control access to any and all externally shared files based on label policies (e.g., Restricted files require a user login through OpenID).
5) Defaults can help when used correctly.
There is always a great debate around using default labels. If you are not careful, they can create complacency and confusion. For eShare, as you can see, we opted to stay away from an Internal label and instead used Confidential as our default label. We have found that 90% of our data is Confidential, so let us not get in our employees’ way. However, if they downgrade to Public, we have a business justification workflow to ensure the downgrade is warranted and tracked.Microsoft Information Protection labeling is something to consider for every company which uses Microsoft products and collaborates externally. If you want to talk more about labeling and even see a demo of our taxonomy in action, we would be happy to walk you through it. Please click here to contact us