Email is an unavoidable tool for communication in the business world. From quick notes to attached forms to announcements, it is a key component of anyone needing to stay abreast of and share work status. Saving content from a cloud storage location for easier collaboration is becoming increasingly common in our networked world.
This means that content no longer stays behind a firewall – it roams everywhere, across devices, apps, and services. And when it roams, you want it to do so in a secure, protected way that meets your organization’s business and compliance policies.
Microsoft has a neat built-in app for controlling sensitive content. You can read about it here as well as below. This feature requires an Office 365 subscription and is available for users and organizations whose administrators have configured Sensitivity labels and turned on the feature as described below.
Encryption uses Azure Rights Management (Azure RMS). Azure RMS uses encryption, identity, and authorization policies. To learn more, see What is Azure Rights Management?
How to turn on encryption for a sensitivity label
The encryption settings are available when you create a sensitivity label in the Microsoft 365 compliance center, Microsoft 365 security center, or Office 365 Security & Compliance Center. In the left nav, choose Classification > Sensitivity label > Create a label. Simply toggle Encryption to On, and then choose whether to:
- Assign permissions now, so that you can determine exactly which users get which permissions to content with that label. For more information, see the next section Assign permissions now.
- Let users assign permissions when they apply the label to content. This way, you can allow people in your organization some flexibility that they might need to collaborate and get their work done. For more information, see the below section Let users assign permissions.
With Microsoft’s sensitivity labels, you can classify and protect your sensitive content, while making sure that user’s productivity and ability to collaborate isn’t hindered.
Then create the label name and add a tooltip to make clear it’s purpose and a description for deeper detail. Then set encryption and the other labels you want to assign (Content marking, Endpoint Data Loss prevention, and Auto Labeling).
As Microsoft notes in it’s support docs, Sensitivity labels are used to:
- Enforce protection settings like encryption on labeled content. For instance, you can apply a Confidential label to a document or email, and that label can encrypt the content. You can also apply a Confidential watermark.
- Protect content in Office apps across different platforms and devices. Sensitivity labels work in Office apps on Windows, Mac, iOS, and Android. Microsoft promises that support for Office web apps is coming soon.
- Prevent sensitive content from leaving your organization on devices running Windows, by using endpoint protection in Microsoft Intune. When a sensitivity label has been applied to content that is stored on a Windows device, endpoint protection can prevent that content from being copied to a third-party app, like Twitter, or being copied to removable storage, such as a USB drive. It also works on Gmail.
- Protect content in third-party apps and services, by using Microsoft Cloud App Security. With Cloud App Security, you can detect, classify, label, and protect content in third-party apps and services, such as SalesForce, Box, or DropBox, even if the third-party app or service does not read or support sensitivity labels.
- Extend sensitivity labels to third-party apps and services. With the Microsoft Information Protection SDK, third-party apps on these platforms can read sensitivity labels and apply protection settings.
- Classify content without using any protection settings. You can also simply assign a classification to content (like a sticker) that persists and roams with the content as it’s used and shared. You can use this classification to generate usage reports and see activity data for your sensitive content. Based on this information, you can always choose at a later time to apply protection settings.
With sensitivity labels, you can classify data across your organization and enforce protection settings based on that classification. You create sensitivity labels in the Microsoft 365 compliance center, Microsoft 365 security center, or Office 365 Security & Compliance Center under Classification > Sensitivity labels. These sensitivity labels can be used by Azure Information Protection, Office apps, and Office 365 services.
See how to use Azure Information Protection here.
Sensitivity labels are customizable, clear text and persistent. You can create categories for different levels of sensitive content in your organization, such as Personal, Public, General, Confidential, and Highly Confidential. It is in clear text for third party apps to easily recognize so you can apply labels as needed. It persists in the metadata of the document or email so it roams with the content wherever it goes. This helps enforce your policies.
You can encrypt email only or both email and documents. You can choose which users or group have permissions to perform which actions and for how long.
You can mark the content by adding custom watermarks, headers, or footers to email or documents that have the label applied.
You can apply the label automatically to content that contains sensitive information. You can choose what types of sensitive information that you want labeled, and the label can either be applied automatically, or you can prompt users to apply the label that you recommend.
There is a lot more you can do with sensitivity labels such as:
Name your label and add a description for better documentation
Assign a priority so that top priority labels appear at the top of the Sensitivity tab
Apply sub-labels for further categorization.
You can apply policies to limit who can see/edit a label. You can require a justification to document the need to change a label.
You can require users to apply a label to their email and documents. If you want all of a user’s content to be labeled, you can require that a label must be applied to all of their saved documents and sent emails. The label can be assigned manually by the user, automatically as a result of a condition, or be assigned by default (the default label option described above).
(Note that mandatory labeling requires an Azure Information Protection subscription.)
You can provide help link to a custom help page. If your users aren’t sure what your sensitivity labels mean or how they should be used, you can provide a Learn More URL that appears at the bottom of the Sensitivity label menu in the Office apps.
The Sensitivity labels will appear in the pull down from the Sensitivity control in the ribbon (be sure it is active in your ribbon).
I hope this opens some eyes to more control of email and content. The power of Office 365 is taking over all aspects of Microsoft apps, which is a good thing….once you know about them and how to use them.