Site icon Joanne C Klein

Sending secure email… OME, AME, and Sensitivity Labels | What gives?

Reading Time: 8 minutes

I heard a great question today… “there are so many options for sending a secure email using Microsoft technologies… what’s the difference between them and which one is right for me?”

Sidebar: Whether we like it or not, email still accounts for a significant portion of external communication today. Technologies discussed in this post are built to help address the concern organizations have with sharing sensitive information via email.

Office Message Encryption, Advanced Message Encryption, and Sensitivity Labels can all apply a level of encryption and restrictions when sending an email message. To be clear, all 3 technologies use Microsoft’s Azure Rights Management Service as the encryption technology.

Although the documentation I link to for each option above describes the “how to configure” part, this post is answering the “why/when would you use one over the other?” question. Most practitioners are looking for this context and understanding to be able to provide their own guidance on the appropriate technology to choose for any given scenario.

When I heard this question, I remember having the same one when I first discovered the options for sending a secure email. Is there a difference? If so, what are the differences? This post will frame the options to show the commonalities and differences between them.

To lay the groundwork for wanting to have secure email communication, here are typical reasons why securing an email is something organizations want to do:

TLDR? Here’s my thoughts…

It’s not an “or”, it’s an “and/if/when”…

Some factors to consider:

The overall course of action for sending secure emails should be to work towards defining Sensitivity labels as a bi-product of your organization’s broader information protection strategy program.  Here are some places to start:

The next 3 sections describe OME, AME, and Sensitivity labels…


Office Message Encryption | OME

At the time of this writing, OME comes with an E1, E3, A3, G3, A5, E5, G5, M365 Business Premium, or AIP P1 license (License reference). By default, there are 2 OME rights-protected options available to use:

These can be assigned to emails in several ways:

Using Outlook Web Access (OWA) and the Outlook app, here is the end-user experiences for applying these options to an email:

Once selected, the sender will see this on the top of their email indicating it has the encryption template applied. In the example below, I’ve selected the Encrypt-Only option:

Applying an OME template thru either a mail flow rule or a DLP policy ensures OME will always be applied based on the conditions you specify. It’s best to automate this whenever possible, however recognize the need for end-users to be able to also do it manually on an as-needed basis.

Tip: Provide “Sending Secure Email” training to end-users in your organization so they can choose to manually apply OME to their email if required.

With OME, you can force the external recipient to receive a custom-branded email wrapper around their rights-protected email from one of the OME rights protection templates (Encrypt-only, Do Not Forward, or one of your other Sensitivity Label rights protection templates) via a mail flow rule. This email wrapper goes around the original email to force it to be read in a secure OME portal instead of the mail client/app. With this approach, you have more control over the recipient’s OME experience (image, introduction text, read button text, background color, email text, and disclaimer text) and it may also provide external recipients some peace-of-mind that the encrypted message they’re receiving is from your organization. OME allows you to brand the default template only (as opposed to AME which allows for multiple custom templates).

The default OME branding template is configured via PowerShell only.

Sample email wrapper with the un-customized default template:

Sample email wrapper with customization (everything circled in yellow has been customized via PowerShell):

You may want to update the default OME template as shown above to add brand recognition and custom messaging/privacy link to the email wrapper for external recipients.


Advanced Message Encryption | AME

AME is available with an E5 license and provides some additional features over and above OME. With AME, you can do these additional things for your custom-branded OME templates:

Below is an example of a custom-branded template using AME. I have set the expiry date for 7 days from date sent (circled in yellow):

 

You will see all custom-branded templates in the mail flow rule wizard as an option to apply to any rights-management protected email.

Examples where multiple branding templates might come in handy:

Similar to the OME templates above, the AME templates are configured via PowerShell only.

Good Things to Know for both OME and AME:

Tip: Use the Office 365 message Encryption report to monitor when end-users are manually applying encryption templates to inform your strategy for building in conditions into your DLP policies


Sensitivity Labels

The King.

Sensitivity Labels are a superset of the functionality provided by OME/AME and are part of a much larger protection framework for your organization. Microsoft Information Protection (MIP) is a construct within Microsoft 365 that includes many protection controls working together… sensitivity labels are just one of those controls.

Sensitivity Labels are a bi-product of your organization’s data classification scheme and labeling/protection strategy. They can be applied to not only emails, as discussed in this post, but also files, Sites, Groups, Teams, and (currently in preview) data. The intent is to protect data on all fronts across all collaboration platforms, not just email. This is why sensitivity labels are considered a broad-based protection mechanism across your data landscape and Windows endpoints extending well beyond email and needs to be part of an organization’s overall protection strategy.

Due to this, the availability of this option is dependent on how mature/far along your organization is at defining a data classification and labeling strategy.

Each time you apply a sensitivity label marked with encryption to an email, it applies a RMS template to it. It will automatically use the default OME template (which you might have added custom branding to) or you can configure a mail flow rule to apply one of your custom branded templates if you have done so with AME.

You can configure a label to have pre-defined permissions or you can leave it up to the end-user to apply the permissions in-the-moment while composing their email.

As shown above for OME and AME, when configuring DLP policies targeting Exchange location(s), you have the option to restrict access to an email based on conditions you specify by applying an encryption template to the email. In addition to the 2 built-in encryption settings from OME (Encrypt and Do Not Forward), all sensitivity labels with the encryption (custom permissions) setting configured will show in your dropdown list as well. This will rights protect the email with the configuration associated with the label setting and add the OME wrapper around the email as described above.

The external recipient will either authenticate or enter a 1-time passcode depending on your configuration and their email address.

Organizations should evolve their protection strategy over time to include sensitivity labels as an intelligent enhancement to the other OME/AME controls.

Thanks for reading.

-JCK

Exit mobile version