How do you keep data, such as Controlled Unclassified Information (CUI), secure that is no longer in your network or behind your firewall? Microsoft’s answer to this question is to use Labels. These labels secure the data itself, instead of the container the data lives in, also known as data-centric security. This security model uses classification and encryption to protect data wherever it lives, as there is no longer a secure perimeter for data due to the rise of the mobile workforce. Microsoft's labeling products are most critical to meet NIST and CMMC Access Control (AC). Specifically, in NIST 3.1.3 "Control the flow of CUI in accordance with approved authorizations." and CMMC AC.2.016. Control starts with identification and marking of CUI.
Microsoft intends to handle all labeling duties in a single product and interface. Nevertheless, today there are two sets of labels available, Azure Information Protection (AIP) Labels and Sensitivity Labels (Unified Labeling Experience). Prior to using either or both of these classification methods, a strategy and taxonomy should be established for your organization that defines different levels of sensitive content. In this blog, we will discuss the two products, pros and cons, and features to enable NIST and DFARS compliance.
Azure Information Protection (AIP)
Azure Information Protection labels are created in Azure, and specifically Azure Government for Office 365 Government Community Cloud (GCC) High. The quickest way to navigate to these labels is to go to your Azure portal and search for information, then select Azure Information Protection.
With AIP you have two items to configure, Labels and Policies. A label is what you apply to the data and a policy has additional settings for a group of labels.
AIP labels are used to mark and/or protect your data to achieve the data-centric security model mentioned earlier. Visual marking of data is done as a header, footer, and/or a watermark. These visual markings can be done statically/manually or dynamically. With AIP you can also apply different visual markings per office application. Word can have different visual markings than Excel and PowerPoint. It is important to note that Labels and Policies do not require a symbiotic relationship. Data that is marked does not require protection to be enabled, data that is protected does not require marking, data can be both protected and/or marked as needed.
Protection for AIP is done by the Rights Management Service (RMS). With RMS, data is protected both in transit and at rest. Most organizations will use a combination of marking and protection labels to satisfy their classification needs. Some examples below:
- General – Marking label for all company content
- Secure – Marking and protection label for internal and external use
- Controlled Unclassified Information (CUI) - Marking and protection label for select users only
- Proprietary – Marking and protection label for internal use only
During the creation of AIP labels, they need to be assigned to a specific Policy. By default, there is a global policy that applies to all users. It is recommended to create an additional policy that is scoped to a subset of users for testing purposes during the rollout phase of AIP labels. Once testing is done for the new label, update the policy to all users as needed. Each policy has the following settings available:
- Ability to scan on-premises data and apply labels
- Ability to Tack and Revoke protected documents
- Multi-language Support
- Logging to Event Viewer
- Have Your Own Key (HYOK Support)
- Protection without labeling
- Dynamic Labeling
- Cannot work on other client platforms (MacOS, iOS, and Android)
- Registry changes required for GCC High
- XML required for custom sensitivity type
Sensitivity Labels (Unified Labeling Experience)
Sensitivity labels are the newest Microsoft classification method. They are similar to the purpose of AIP labels, but different when it comes to implementation and functionality. As of this writing, most organizations that have both Windows and Apple devices will likely need to use a combination of AIP labels and Sensitivity labels. If your company does not have Apple devices, the need to track and revoke, or any of the advanced features mentioned above - I would recommend only deploying sensitivity labels in the unified labeling client.
Below are a couple examples of the unified labeling client. The first example showcases some of the encryption and access policy capabilities. Partnering with Intune capabilities, label-based encryption in unified labeling will assist in meeting:
3.1.17 Protect wireless access using authentication and encryption.
3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
Auto labeling is a powerful tool for compliance because it takes some of the onus off of users. A user can be prompted if a certain phrasing or numeric combination is present in a document, and labels can be automatically applied to a document if certain criteria are met. This feature set assists in meeting NIST 800-171 3.8.4 "Mark media with necessary CUI markings and distribution limitations" AND DFARS 7012 (h) DoD safeguarding and use of contractor attributional/proprietary information... "To the maximum extent practicable, the Contractor shall identify and mark attributional/proprietary information."
- Works on multiple client platforms
- Migrate existing labels to create unified labels
- Synchronize unified labels and AIP Labels
- Promote and demote labels
- Integrate Endpoint Data Loss Prevention by Windows Information Protection (WIP)
- SCC PowerShell to add advanced settings to labels for feature parity
- No ability to scan on-premises data and apply labels
- No ability to Track and Revoke protected documents (Track and Revoke Portal in progress)
- No custom permissions in Office apps (Slated for release in new update)
- No Do Not Forward button in Outlook (However, it is under the encrypt button in the ribbon)
- No multi-language support
- No Color Coding
Label AdministratorsHelping with the separation of duties found in 3.1.4 ("Separate the duties of individuals to reduce the risk of malevolent activity without collusion"), the following roles can be used to meet your compliance requirements.
- AIP labels are managed by the Azure Information Protection Administrator
- Sensitivity Labels (Unified Labeling Experience) can be managed by the following roles:
- Organization Management
- Compliance Administrator
- Compliance Data Administrator
- Security Administrator
Migrating to Office 365 GCC High for DFARS 7012 compliance is an ideal path forward. However, labeling of CUI, CDI, and ITAR is equally important to your compliance and needs to be accounted for in your System Security Plan (SSP).
At this point, Sensitivity labels do not have feature parity with AIP labels. For this reason, most organizations are going to want to implement labels using a hybrid approach, using both AIP and sensitivity labels. It is best practice to include in your Plan of Action and Milestones (POA&amp;M) to eventually go to a singe labeling solution once Microsoft completes the transition. Certain users will need to have the AIP Client installed with registration and DNS changes for GCC High, while other users will need to use unified labels.
When migrating your labels to unified labels, all future labels created in SCC will be created in Azure as part of a “synchronization” to keep your labels in both places as similar as possible. During this migration process there have been cases where not all labels are mimicked 100%. It is recommended to verify all settings match in both locations during the hybrid phase of implementation.