Introducing Windows Information Protection

With Windows 10, Microsoft made it a goal to make security one of the biggest benefits and one of the most compelling reasons to migrate from Windows 7. The Windows 10 Anniversary Update continues to make big investments across our key pillars of security, which include identity protection, threat resistance, and information protection. 

87% of senior managers have admitted to leaking data to unmanaged personal locations (email, cloud storage). 58% of us have sent email with business data to the wrong person. Then there is the cost of data breaches, which totals about 240.00USD per record.

data leakage.png

Imagine that scaled across tens or hundreds of thousands of records! Regardless of what the statistics say, and the debates around some of them, we do know how easy it is for users to either accidentally leak sensitive business information to unauthorised locations. 

In the mobile-first, cloud-first world this problem is only getting more complex as data no longer resides within your perimeter. When you couple that fact with the realisation that the costs of data leaks have transitioned from the hypothetical to the highly quantifiable, it's no wonder that our customers have been urging us to provide solutions. 

To help approach challenges like this, we like to break things into models. For information protection, we've built our model around the following buckets and scenarios, which we believe need be fulfilled in order to provide our customers with a comprehensive solution.

Information security starts with Device Protection, meaning you need a solution that can protect your data while it's at rest, even if the device is lost or stolen. Windows includes BitLocker for this scenario, and with the improvements in Windows 8.1 and 10, we're confident that our customers will find it has become the best choice in the marketplace. 

The next thing customers need to protect their business data is a solution that has the means to identify personal vs. corporate data, such that it can be contained and securely wiped on demand. Prior to Windows 10 Anniversary Update, the operating system provided no answer for this scenario and customers had to go to third parties if they wanted a solution in this space. 

Next, customers need the ability to prevent business data from leaking in an unauthorised way. For instance, customers need a solution that can prevent data from being copied from corporate documents into non-corporate locations (e.g.: Twitter) and, additionally, they need the ability to make sure that only authorised apps have access to business data. Prior to Windows 10 you had to rely on applications capabilities like Office DLP or Azure Rights Management. 

Finally, our customers need the ability to help ensure that business data can be securely shared with others within and outside of their organisation. Again, these scenarios require the use of additional Microsoft products like Office 365 and Azure Rights Management. 

Prior to the Windows 10 Anniversary Update, Microsoft had offered capabilities across most of these spaces, but our customers have told us that they want to see more of the information protection stack in Windows itself. To be clear, this wasn't a request to move all of Office 365's and Azure Rights Management capability into Windows. Rather, for us to move some of the basics into Windows to provide what is often called "the fundamentals of information protection" right in the box. 

Windows Information Protection (WIP), formerly referred to as enterprise data protection (EDP) is the answer to this request. With it, Windows now includes the functionality necessary to identify personal and business information, determine which apps have access to it, and provide the basic controls necessary to determine what users are able to do with business data (e.g.: Copy and Paste restrictions). Windows Information Protection is designed specifically to work with the Office 365 ProPlus andAzure Rights Management, which can help protect business data when it leaves the device or when it's shared with others (e.g.: Print restrictions; Email forwarding).

Windows Information Protection

BitLocker is a great solution for protecting data when a device is lost or stolen, but how can you protect your data from users who may accidentally leak data? This is where Windows Information Protection (WIP) from the Windows 10 Anniversary Update is here to help. Today, many vendors offer data loss prevention solutions with data separation, containment, and leak protection. One common problem, though, is that while they can protect data pretty well, it often times comes at the expense of the user experience.

market solution.png

On mobile devices, there are many Mobile Device Management (MDMs) that require users to switch modes or even apps to protect data. For example, with some solutions, users can't use Outlook, and instead, they need to use a MDM email client that is optimised for securing data and only provides basic email capabilities. In the case of Knox, users have to switch modes to securely work on business data, as Android needs to physically isolate business data within a container to keep it secure from other apps and Android itself. 

For the desktop, there are solutions that are better integrated into Windows, but few customers use them as they're expensive, complex to maintainthird, and still introduce an undesirable level of friction for users. 

The challenge with these solutions is that they can’t provide the ideal user experience unless they're integrated into the platform itself. Microsoft is in a position to make that happen — which is exactly what we’ve done with Windows Information Protection (WIP).

WIP is a solution that is easy to deploy and doesn't get in the way of the user experience. Just turn on a few policies in your MDM (e.g.: Microsoft Intune) or System Center Configuration Manager and WIP is ready to go. 

WIP’s capability is fully integrated within the experience your users are already familiar with, and they can continue to use the apps that they, or IT, choose to access protected content. WIP doesn't require users to use special folders, change modes, use alternate apps, move into secure zones or partitions, etc. Instead, the solution works completely behind the scenes and helps protect data wherever it lives on the device. It can even continue the protection when data is copied to removable storage devices such as a thumb drives. 

Because WIP is integrated into the platform, most of your existing apps (including your LOB's) will work with WIP without modification, app wrapping etc. This is a big differentiator given that, in most cases, third party solutions frequently force users to use completely different apps on mobile vs. desktop devices. For example, your users may use Outlook on the desktop while using a basic third party email client on their phone. For advanced apps that have the ability to work on personal and business data in parallel, or have the ability to egress data outside of the corporate boundary (e.g.: Outlook), changes to support WIP are required. Another option that can also work is setting a policy to force them to consider all data business related. The Office 2016 Universal Windows apps have already been updated to support WIP, and we are working with third parties as needed. 

When it comes to leak protection, WIP helps ensure that only authorised users and apps have access to business data. This even works on devices with multiple user profiles. In addition, WIP helps content from business documents from leaking through copy and paste operations. 

WIP allows users to freely copy content between business apps and documents, but it won't allow the data to leak into the personal or public domain unless IT chooses to allow it with a policy. In this case, auditing will occur in the background and your users will be encouraged to act responsibly and in a way that is compliant with your corporate policy.