When to Choose What Label in Office 365 – the new dilemma!

AIP Labels- Keep it Simple (or KISS) (1)Blog Post: 2 minute read

I often give Information Management/Data Protection presentations to discuss the new capabilities existing in Office 365 to help manage it. This typically covers Azure Information Protection (AIP), Data Loss Prevention (DLP) and the new Retention Labels. It has become clear to me that a new problem is starting to emerge in this space and for some reason, not many are talking about it. For several years, many of us have been grappling with the concept of “When to Use What Tool” in Office 365 and in fact, an entire school of thought has emerged to answer that question. Whitepapers, blog posts, infographics and presentations have been created covering this misunderstood, and often confusing, aspect of Office 365.

I believe once we get a handle on that issue, another one is hot on its heels. I call it the “When to Choose What Label” dilemma. For organizations scrambling to comply with the new regulatory requirements of GDPR for May 2018 or just needing to comply with their own corporate or industry regulations, this issue is far more concerning than the “When to Use What” question ever was simply due to the potential of some very real negative (financial) consequences if not done right. Let me explain.


Why is this so important?

Whether an organization is using a SharePoint site provisioned by an O365 Outlook group, Yammer group, or Microsoft Team, the information stored in all of them needs to be managed and protected. Regardless of how sophisticated and automated the tools are behind the scenes, the success of Information Management/Data Protection still significantly comes down to the end-user sitting in front of the keyboard and how well they understand the options presented to them via the Office clients. If un-clear labels are presented, end-users may not know which one to pick, get frustrated and pick something just to “get by”. Automate labels incorrectly and you may stop end-users right in their tracks if they aren’t able to override the selection. This can lead to something called Shadow IT, a problem that plagues many organizations today.

Recommended LabelsThis graphic represents Microsoft’s recommendations for high-level AIP label names. This list is based on experience with many customers and found to be simple, well-understood, unambiguous and easy to differentiate from one another. An organization can certainly deviate from this list, however you should do so with intent and purpose.

 


Typical Scenario: An employee in Sales opens up Word to prepare a new document for an upcoming sales opportunity. This document will contain information about a potential customer which is sensitive in nature. How should it be labeled? The AIP labels are presented to the end-user on the toolbar at the top of the Word client. We have no default label for the library she is working in nor for her department and there is nothing in the document that can be queried to auto-detect a label for her. She is confronted with the decision to classify the document – she should classify it as ‘Confidential’ since the document contains sensitive information, however there is nothing stopping her from selecting a different, less sensitive, label if she fails to consider the content of the document.

There is a very dangerous assumption being made in this scenario – one that assumes the end-user is armed with the knowledge to make the correct decision to label it appropriately. An end-user needs to carefully consider the content of the document in order to select the “right” label; we can’t assume end-users will know the criteria they should use to do this. Although there will be times the decision will be obvious, many times it won’t be. This can become a compliance issue for an organization since there can be different controls configured for different labels.

For example, in your organization, you may have configured the ‘General’ AIP label to allow external sharing as well as forwarding. Your organization may have also configured the ‘Confidential’ AIP label to restrict external sharing altogether. This demonstrates a significant difference in the down-stream options for a document entirely based on how it was labeled. This is an important distinction that needs to be well-understood by end-users.


It all comes down to this

It all comes down to user education and delegating the responsibility of the decision to the user. Although it’s true you can automate which label is selected, you will not be able to do this in all cases and for all things. For this reason, I believe a new type of training should be introduced into the Office 365 Adoption training toolkit titled “When to Choose What Label in Office 365″.

I’ll be working on incorporating some ideas for an effective training session on this topic over the coming weeks. I believe it should be part of an organization’s Office 365 Adoption training program to ensure their information is being managed and protected across their tenant to reduce the risk of mismanaged information.

I’d love to know your thoughts on this. Do you have/are you planning a training program in your organization to cover this aspect of Office 365?

Thanks for reading

-JCK

Advertisements

4 thoughts on “When to Choose What Label in Office 365 – the new dilemma!

  1. Joanne, thank you for taking the time to explain labels and labeling. It seems to me that there are 2 labeling systems, AIP and O365, and they do not work together. I am trying to determine how to apply AIP labels to Sharepoint and it looks like O365 labels do that but are not used with RMS. Do you have some insight or guidance on how the two work together or are they separate but equally required? Thanks in advance.

    -Steve

    1. Hi Stephen,
      You are correct – as of right now, AIP labels and Retention labels do not work together. AIP controls protecting your content (and can use RMS templates) whereas Retention labels simply control the retention and disposition of content. In the future, these two labeling systems may converge in some aspects, but I’m not aware of what those plans are.
      Joanne K

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s