Blog Post: 2 minute read
I often give Information Management/Data Protection presentations to discuss the new capabilities existing in Office 365 to help manage it. This typically covers Azure Information Protection (AIP), Data Loss Prevention (DLP) and the new Retention Labels. It has become clear to me that a new problem is starting to emerge in this space and for some reason, not many are talking about it. For several years, many of us have been grappling with the concept of “When to Use What Tool” in Office 365 and in fact, an entire school of thought has emerged to answer that question. Whitepapers, blog posts, infographics and presentations have been created covering this misunderstood, and often confusing, aspect of Office 365.
I believe once we get a handle on that issue, another one is hot on its heels. I call it the “When to Choose What Label” dilemma. For organizations scrambling to comply with the new regulatory requirements of GDPR for May 2018 or just needing to comply with their own corporate or industry regulations, this issue is far more concerning than the “When to Use What” question ever was simply due to the potential of some very real negative (financial) consequences if not done right. Let me explain.
Examples given in the remainder of this post are for AIP labels. There is work being done to unify AIP and Retention labels however that capability is not currently available. Refer to my post, AIP and Retention Labels: What’s the diff?, for my explanation of the difference between these two types of labels.
Why is this so important?
Whether an organization is using a SharePoint site provisioned by an O365 Outlook group, Yammer group, or Microsoft Team, the information stored in all of them needs to be managed and protected. Regardless of how sophisticated and automated the tools are behind the scenes, the success of Information Management/Data Protection still significantly comes down to the end-user sitting in front of the keyboard and how well they understand the options presented to them via the Office clients. If un-clear labels are presented, end-users may not know which one to pick, get frustrated and pick something just to “get by”. Automate labels incorrectly and you may stop end-users right in their tracks if they aren’t able to override the selection. This can lead to Shadow IT, a problem that plagues many organizations today.
Typical Scenario: An employee in Sales opens up Word to prepare a new document for an upcoming sales opportunity. This document will contain information about a potential customer which is sensitive in nature. How should it be labeled? The AIP labels are presented to the end-user on the toolbar at the top of the Word client. We have no default label for the library she is working in nor for her department and there is nothing in the document that can be queried to auto-detect a label for her. She is confronted with the decision to classify the document – she should classify it as ‘Confidential’ since the document contains sensitive information, however there is nothing stopping her from selecting a different, less sensitive, label if she fails to consider the content of the document.
There is a very dangerous assumption being made in this scenario – one that assumes the end-user is armed with the knowledge to make the correct decision to label it appropriately. An end-user needs to carefully consider the content of the document in order to select the “right” label; we can’t assume end-users will know the criteria they should use to do this. Although there will be times the decision will be obvious, many times it won’t be. This can become a compliance issue for an organization since there can be different controls configured for different labels.
For example, in your organization, you may have configured the ‘General’ AIP label to allow external sharing as well as forwarding. Your organization may have also configured the ‘Confidential’ AIP label to restrict external sharing altogether. This demonstrates a significant difference in the down-stream options for a document entirely based on how it was labeled. This is an important distinction that needs to be well-understood by end-users.
It all comes down to this
It all comes down to user education and delegating the responsibility of the decision to the user. Although it’s true you can automate which label is selected, you will not be able to do this in all cases and for all things. For this reason, I believe a new type of training should be introduced into the Office 365 Adoption training toolkit titled “When to Choose What Label in Office 365″.
I’ll be working on incorporating some ideas for an effective training session on this topic over the coming weeks. I believe it should be part of an organization’s Office 365 Adoption training program to ensure their information is being managed and protected across their tenant to reduce the risk of mismanaged information.
[Update December 2017] I’ve recently blogged about creating a SharePoint Communication site to help end-users adopt the data protection controls in your organization titled O365 Data Protection: Information Worker Adoption. Check it out!
I’d love to know your thoughts on this. Do you have/are you planning a training program in your organization to cover this aspect of Office 365?
Thanks for reading
-JCK