Blog Post: 2 minute read
I often give Information Management/Data Protection presentations to discuss the new capabilities existing in Office 365 to help manage it. This typically covers Azure Information Protection (AIP), Data Loss Prevention (DLP) and the new Retention Labels. It has become clear to me that a new problem is starting to emerge in this space and for some reason, not many are talking about it. For several years, many of us have been grappling with the concept of “When to Use What Tool” in Office 365 and in fact, an entire school of thought has emerged to answer that question. Whitepapers, blog posts, infographics and presentations have been created covering this misunderstood, and often confusing, aspect of Office 365.
I believe once we get a handle on that issue, another one is hot on its heels. I call it the “When to Choose What Label” dilemma. For organizations scrambling to comply with the new regulatory requirements of GDPR for May 2018 or just needing to comply with their own corporate or industry regulations, this issue is far more concerning than the “When to Use What” question ever was simply due to the potential of some very real negative (financial) consequences if not done right. Let me explain.
Examples given in the remainder of this post are for AIP labels. There is work being done to unify AIP and Retention labels however that capability is not currently available. Refer to my post, AIP and Retention Labels: What’s the diff?, for my explanation of the difference between these two types of labels.
Why is this so important?
Whether an organization is using a SharePoint site provisioned by an O365 Outlook group, Yammer group, or Microsoft Team, the information stored in all of them needs to be managed and protected. Regardless of how sophisticated and automated the tools are behind the scenes, the success of Information Management/Data Protection still significantly comes down to the end-user sitting in front of the keyboard and how well they understand the options presented to them via the Office clients. If un-clear labels are presented, end-users may not know which one to pick, get frustrated and pick something just to “get by”. Automate labels incorrectly and you may stop end-users right in their tracks if they aren’t able to override the selection. This can lead to Shadow IT, a problem that plagues many organizations today.
This graphic represents Microsoft’s recommendations for high-level AIP label names. This list is based on experience with many customers and found to be simple, well-understood, unambiguous and easy to differentiate from one another. An organization can certainly deviate from this list, however should do so only after careful consideration.
Typical Scenario: An employee in Sales opens up Word to prepare a new document for an upcoming sales opportunity. This document will contain information about a potential customer which is sensitive in nature. How should it be labeled? The AIP labels are presented to the end-user on the toolbar at the top of the Word client. We have no default label for the library she is working in nor for her department and there is nothing in the document that can be queried to auto-detect a label for her. She is confronted with the decision to classify the document – she should classify it as ‘Confidential’ since the document contains sensitive information, however there is nothing stopping her from selecting a different, less sensitive, label if she fails to consider the content of the document.
There is a very dangerous assumption being made in this scenario – one that assumes the end-user is armed with the knowledge to make the correct decision to label it appropriately. An end-user needs to carefully consider the content of the document in order to select the “right” label; we can’t assume end-users will know the criteria they should use to do this. Although there will be times the decision will be obvious, many times it won’t be. This can become a compliance issue for an organization since there can be different controls configured for different labels.
For example, in your organization, you may have configured the ‘General’ AIP label to allow external sharing as well as forwarding. Your organization may have also configured the ‘Confidential’ AIP label to restrict external sharing altogether. This demonstrates a significant difference in the down-stream options for a document entirely based on how it was labeled. This is an important distinction that needs to be well-understood by end-users.
It all comes down to this
It all comes down to user education and delegating the responsibility of the decision to the user. Although it’s true you can automate which label is selected, you will not be able to do this in all cases and for all things. For this reason, I believe a new type of training should be introduced into the Office 365 Adoption training toolkit titled “When to Choose What Label in Office 365″.
I’ll be working on incorporating some ideas for an effective training session on this topic over the coming weeks. I believe it should be part of an organization’s Office 365 Adoption training program to ensure their information is being managed and protected across their tenant to reduce the risk of mismanaged information.
[Update December 2017] I’ve recently blogged about creating a SharePoint Communication site to help end-users adopt the data protection controls in your organization titled O365 Data Protection: Information Worker Adoption. Check it out!
I’d love to know your thoughts on this. Do you have/are you planning a training program in your organization to cover this aspect of Office 365?
Thanks for reading
Joanne, thank you for taking the time to explain labels and labeling. It seems to me that there are 2 labeling systems, AIP and O365, and they do not work together. I am trying to determine how to apply AIP labels to Sharepoint and it looks like O365 labels do that but are not used with RMS. Do you have some insight or guidance on how the two work together or are they separate but equally required? Thanks in advance.
You are correct – as of right now, AIP labels and Retention labels do not work together. AIP controls protecting your content (and can use RMS templates) whereas Retention labels simply control the retention and disposition of content. In the future, these two labeling systems may converge in some aspects, but I’m not aware of what those plans are.
I heard at Ignite that there was work underway via the “Advanced Data Governance” tools (which we have licensed for our deployment) to merge these two ideas. Nishan DeSilva and others are working on this across SharePoint and OneDrive. There are also features rolling out to assign things in bulk by default and improved ways to manage the label assignments as “required metadata properties” via panels in the apps (they demo Word) and in something called “attention views”. Check a presentation from Chris McNulty and Ian Storey from Ignite – BRK2226 – also good stuff!
Thanks Mike. Yes, the Retention and Protection labels are being ‘unified’ as was demonstrated at Ignite. This is great news. The Attention Views and property editing in Word (the old Document Information Panel) are also great improvements – didn’t know whether or not Labels was going to be included in that though. Thank you for sharing these updates!
I agree that over time, the integration picture will improve for these controls.
Hello, we are already in May 2018, and I got the information (from th Yammer site) that there are Private previews in place, where the unification between AIP Labels and these on Office 365 (Security&Compliance) are tested.
I must say that I was quite confused when I got in to this topic.
On top of that the original ADRMS which I beleive should get obsolete by usin AIP, correct?
Anyway, very good website, Joanne. Respect.
That is correct – AIP instead of AD RMS. I’m also very interested to see the unified labels in action.
Thank you so much for your support!