Information Protection: The What – Office 365 DLP

As mentioned the other day, Microsoft uses two specific products to deal with the what of information protection: Office 365 DLP and Azure Information Protection. There are similarities between the two, but some fundamental differences as well. Let’s focus on Office 365 DLP today.

DLP is all about know and flow. Both are done specifically within the context of the DLP policies you have configured. Know is about the what – the specific sensitive information types or labeled content that exist within an email being written, a document attached to an email being written, or a document being shared from SharePoint or OneDrive.

But the know is only enacted at the point of flow, such as when the user is writing an email that has been addressed to someone not authorised to receive it (e.g., an external recipient), or a document sharing action that would share the document with someone not authorised to view or edit it.

This core idea – know and flow – aligns with the specific protection mandate of Office 365 DLP – to “prevent loss” by stopping an unauthorised someone from gaining access.

Thus DLP policies – as set up in the Security & Compliance Centre – are intended for:
– preventing an internal user from sending content in an email or attached document to a recipient who should not receive it.
– preventing the sharing of a document with someone who should not receive it.
– these actions must be taken within and through Office 365.

DLP will not prevent loss in all situations, unless there are other parts of the Information Protection portfolio in use. For example, if a user downloads a file with sensitive data and then syncs it with Dropbox (or some other cloud sharing service), that content has just disappeared. It has been taken out of the boundary of Office 365, and loss prevention capabilities are blind to what happens. Ditto if it is put onto a USB thumbdrive. There are other solutions in the portfolio – Microsoft Cloud App Security and Windows Information Protection for example – that can address most of these challenges, and Azure Information Protection to a degree as well (in conjunction with those other two). We’ll leave that complexity for another day.

But for now – DLP is all about know and flow.

Information Protection: The What

When thinking about information protection, one of the key questions is what: what specific information should be protected? Some information doesn’t need to be protected at all, such as when it is common knowledge (2+2=4) or easily available (the name of the current leader of a country).

Other information does need to be protected – for a variety of reasons (the why, which we’ll talk about more fully later). Broadly speaking, information that needs to be protected is like that because its inappropriate use or disclosure could cause harm to a person, entity, or organisation. For example, disclosing someone’s credit card number and expiry date to the wrong person could result in financial harm (unauthorised transactions, lost funds, decimated credit rating, etc.) Disclosing someone’s name, address, national ID number and similar data could result in harm through identity theft; an unauthorised actor uses that valid data to masquerade as the other person, receiving benefits that the other party is entitled to or is forced to pay for without receiving the benefit. In an organisational context, disclosing financial planning documents or explanations of the forthcoming business strategy moves to a competitor can result in a weakened market position, reduced market valuation, and in the worst case, outright business failure.

The potential to cause harm is what drives the need to create mitigations through information protection, and in Microsoft’s perspective on information protection, there are two general classes:

  1. General and generic types of information that are sensitive, and that can be computationally discovered. For example, a credit card number is a credit card number is a credit card number, and if you can work out the identifying characteristics of credit card numbers, you can detect the presence of one or more. Likewise for social security numbers (US), tax numbers (pretty much everywhere), health identification numbers (ditto), and more. Information in this class exists generally, and a specific organisation could (or may have to) protect such information if they collect or handle it.
  2. Specific types of information that could cause harm to a specific business (or government agency, organisation, non-profit, etc.) if these were to fall into the wrong hands. For example, strategy documents, financial plans, employee lists, expansion ideas, current M&A targets, and more. Information in this class exists in customized forms for specific entities, and depending on the specific business / organisation / other, will need to be set up. There are of course general classes of these types of information across most entities, but the specific realisation of that is up to the specific entity.

Microsoft deals with the above through two specific products in its information protection solutions portfolio: Office 365 data loss prevention (DLP) and Azure Information Protection (AIP). Both products can work with the generic sensitive information types as well as specific types of information that could cause harm. DLP always works automatically (scanning, analysing, thinking), and AIP can work either by user choice (manual labeling of a document or email) or based on automated content analysis. And if something is found that goes against a policy, an automated action can be triggered – such as a user notification, an alert to an administrator, or a block action that prevents the message or document from being sent / saved / shared.

“Information Protection”

If you thought “collaboration” was a wiggly word with lots of definitions and places it could be used, you should try the phrase “information protection” on for size. Once you start enumerating the types and styles and approaches and consequences and implications and gotchas, you start to build a complex picture of requirements. Which is why Microsoft doesn’t offer an “information protection” product as such, but rather a set of solutions that apply in different situations. I need to get my head around what is actually on offer in Microsoft’s Information Protection Solutions catalog, so let’s have a talk about it. And probably not just today.

The diagram above is a common one used by Microsoft to show the breadth of its solution set. The four blue circles in the middle express the generic commonalities – detect, classify, protect, and monitor. The 11 solutions around the outside are the specific products that are [1] part of the solution set, and [2] in adherence with one or more of the four blue circles.

One immediate conclusion based on the breadth of these capabilities is that information protection is complex. There’s a lot to understand when you are dealing with a product set in Office 365 for productivity and collaboration that is as broad and deep as what Microsoft is attempting. To be the company that helps “everyone to achieve more” – a broad and all-encompassing vision if ever there was one – you have to safeguard and protect the means of achieving as much as providing tools to help with the achieving.

A second observation in looking at the diagram is that it’s important to note that not all of these capabilities are in Office 365. Some are – Office 365 Message Encryption, Office 365 Advanced Security Management (now called Office 365 Cloud App Security), and Office 365 DLP – are three obvious inclusions. And of the capabilities that are in Office 365, not all are in all plans; essentially, if you want all the Office 365 capabilities, you’ll need to purchase the E5 license. Lower licensing levels have a diminishing number of capabilities. The rest of the capabilities come from the Enterprise Mobility + Security plan – this is where you get the full version of Microsoft Cloud App Security, Conditional Access (from Azure Active Directory), Azure Information Protection, and more. One way of thinking about it is that you buy Office 365 E5 for productivity and collaboration and Enterprise Mobility + Security E5 for safeguarding that productivity and collaboration. It’s not a fully correct differentiation, but it’s a broadly accurate distinction. And if you buy the Microsoft 365 plan, you get both the Office 365 capabilities and Enterprise Mobility + Security capabilities, along with Windows 10.

So what do the above capabilities actually do? Let’s talk about that another day.

Even Microsoft Struggles With It

With the rate of change in Office 365, everyone is struggling with staying up to date on what’s available, what’s coming, what’s possible, what’s not working yet, and more. There’s the cognitive-only staying up to date, which can be done by some disciplined (but rather relentless) reading each day. But there’s also the more formalised artifacts that are produced that cause the major problems: the help videos, user guides, screenshots, scenario explorations, and much more that need to be kept up-to-date.

But since even Microsoft struggles with its own relentless cadence of change, don’t take a too hard line on yourself.

Here’s an example: Microsoft released a new approver role for the Customer Lockbox feature in Office 365 E5 (also accessible through the Advanced Compliance add-on). It’s a good addition to the service, because weighing down global admins with every small detail on running the service isn’t a good design or operational principle. And just because you are a global admin of a tenant does not equate with you having the right business knowledge to be able to judge between valid and invalid requests by Microsoft engineers during support incidents. Someone else might be better placed to do that – providing a better chain of authority and approval. So the new role is a good nuance to add, and is in line with the general proliferation of feature-specific roles in Office 365.

Anyway, in making the above announcement, Microsoft includes a video from November 2015 that explains Customer Lockbox. The talking at the beginning is fine, the animations of how the support request work are also fine, but the live demo and click through of the interface … are now old. The Office 365 admin center in the video is no more; now it’s the Microsoft 365 admin center. The way the app launcher works in the video is no more; now it’s done differently. The layout of the admin center interface is also different. So while the video was correct and proper in late 2015, it’s no longer reflective of the interface and its capabilities. For people new to Office 365, seeing the video with one interface and then experiencing a different name, layout and more is confusing.

And hence this begs the question: what should Microsoft do with these older artifacts when something changes? If they were constantly recording old videos to bring them up-to-date I’m sure the cadence of change would decrease! By implication – what do you do? One of my friends in the adoption and effective use space takes the view that prepared artifacts become outdated so quickly that doing live explorations with a new business group is the only way to proceed. Don’t bother with preparing documentation; just learn in the moment, and go with the flow.


New Computer – 2014 vs. 2018

Several years ago I had the opportunity to help the husband and wife team of a small business go from one computer to two new laptops. They had shared one PC for a long time, and it took hours and hours to separate what was his and what was hers (files, email contacts, applications) … and then stitch together a new PC for each of them. If I recall correctly, once done, something in the order of 20-30 hours disappeared into that project.

At the time, we deployed Box for file sharing, so that we’d never have that problem again. He had his files. She had hers. And there was a shared space for them to share. I like services that create some separation between a device and its contents; while content can be stored on a device, being authoritatively and solely stored there is a recipe for problems in the case of a failed hard drive, lost machine, or even a successful ransomware attack. Box provided this – with all files stored authoritatively in the Box service, and sync’able to each device as required.

We continued with the current IMAP based email system for the next few years, but the quality of the threat protection was such that I was growing increasingly worried that one or the other would click on something nefarious, and then we’d have a nightmare situation to resolve. I had a plan for such an eventuality (thanks Backblaze), but would always prefer to not get there in the first place.

This year I shifted the client to Office 365. The cost to do so was about the same as using Box and paying for the existing email service. With both of those cancelled, the monthly cost for Office 365 is slightly less over time. Box has gone, and is replaced with OneDrive. The email service with low quality threat protection is now replaced with Exchange Online and Exchange Online Protection (which can handle signature-based threats, not the new and emerging ones for which we’d need Advanced Threat Protection). As I now monitor the email traffic coming in, the number of nefarious emails has been greatly reduced – not to zero mind you – but much, much less than the other service.

Last week it was time for a new laptop for the husband. The previous one was on go-slow, and it was time for something faster and smaller. Unlike four years ago, this time it was turn on, sign in with the Office 365 work account, download the apps from the Office portal, set up Outlook and OneDrive for Business … and the machine was basically ready to go. After installing a few other non-Office 365 apps as well – 1Password, Backblaze, Trend Micro Internet Security, etc. – and what previously took 10-15 hours was about two.

If we’re using Microsoft 365 next time a new laptop is required – adding the device management and additional security capabilities of Enterprise Mobility + Security, along with Windows 10 licensing – I’d expect the time required to be even less.

But whatever way you cut it, this is a substantial improvement over 4 years ago. Thanks Office 365.

Microsoft Whiteboard

While a white background is a common starting experience in Microsoft’s applications, the specific capabilities of each tool both create and constrain what you can use it for. Word’s white background is for words, sentences, paragraphs and pages. Excel’s white background is for numbers and calculations and data modelling and charts. PowerPoint’s white background has traditionally been for words and sentences as well, albeit it in a different form and for a different purpose to Word’s whiteness and wordiness. In some spheres, PowerPoint is becoming more of a structured method of telling a story with photos and pictures and minimal words. Windows Explorer – for storing and sharing files. Etcetera.

What we’ve lacked for too long – constrained by not having the tool itself nor a wide distribution of touch-enabled and pen-enabled devices – is the equivalent of a whiteboard in a meeting room. The blank canvas on which you can write words, draw lines or pictures, put numbers in a table … the do anything blank canvas for beginning a new work or idea or project. Not for finishing it – there are other and better tools for that – but for starting … there’s nothing quite like a blank whiteboard or blank sheet of paper. Oh the possibilities. Oh the opportunity for … starting afresh, anew, differently, creatively.

Now that there are many more appropriate devices on the market – the iPad crowd with their Apple Pencils, the Microsoft Surface crowd with their Surface Pens, and various others – Microsoft’s release of its new Whiteboard application for Windows 10 (and soon iOS and other device platforms) makes a lot of sense. The context is ripe, so the content can now flow in new and different ways.

From the Microsoft 365 blog:

Microsoft Whiteboard is now generally available for Windows 10, coming soon to iOS, and preview on the web. Whether meeting in person or virtually, people need the ability to collaborate in real-time. The new Whiteboard application enables people to ideate, iterate, and work together both in person and remotely, across multiple devices. Using pen, touch, and keyboard, you can jot down notes, create tables and shapes, freeform drawings, and search and insert images from the web.

Welcome to Whiteboard. I got my copy for Windows 10 from the Microsoft Store. Given where it was announced, the collaboration capabilities will require an Office 365 subscription of some kind.

It’s time to let our pursuit of the perfect begin again with the mighty pen.

Walking a Different Path – Redux

Yesterday I wrote briefly about Colgate-Palmolive shifting to Google G-Suite:

Colgate-Palmolive needed to refresh its collaboration tools portfolio, and unlike most of its industry peers, did not embrace Office 365. A year after the migration to Google Cloud, it looks like things are still going well – the core collaboration team is happy, and so are the users.

I’m not happy with the brevity of what I said. I’m not happy with my lack of articulation about the story. So I’m going to try again.

The clients I work with now are all-in on Office 365; I don’t have any clients that have gone Google. And so I’m on the outside of the decision process at Colgate-Palmolive, although I know and know of some of the people in the video above. With the velocity that Microsoft is ramping up on Office 365, Azure, Dynamics 365, Enterprise Mobility + Security, Microsoft 365 and more, it’s very easy for an organisation to look at the general market dynamics and say “let’s flow with everyone else.” It takes a different level of gumption and decision tenacity to stand in the flow of the messaging and collaboration market and decide to step outside of that general flow and do something different.

Especially when you are a well-known global brand that gets put in front of many people first thing in the morning and last thing at night.

Especially when you are a larger organisation who will get video time with any vendor you go with. And conference talk invitations. And conference keynote interview time.

Especially when, as decision makers and decision influencers, the embrace and adoption of something outside the general flow will have career-limiting impacts on you if it all goes wrong. Either immediately or within several years.

Especially when, as a consequence of making the decision to say no to Microsoft and yes to Google, you will be subjected to an ongoing barrage of sales pressure to switch and “do it properly this time.” Imagine the partying that would happen if that was to transpire.

Especially when you put yourself on the outside of the large and dynamic conferences around the world and join a much smaller group of large organisations that have gone Google.

This is the beauty of the decision process at Colgate-Palmolive, and the in-your-faceness of the video above. I applaud the courage to make a counter-flow decision, and wish the team at Colgate-Palmolive all the best. Given the focus of my work, I have nothing that I can offer to help or assist them in their Google journey, but as a fundamental principle, believe that one horse races are boring. Having more players – and strong ones at that, who are well-capitalised and enjoy strong product adoption by major brands – makes the entire segment a much more interesting place to be.

Walking a Different Path

Colgate-Palmolive needed to refresh its collaboration tools portfolio, and unlike most of its industry peers, did not embrace Office 365. A year after the migration to Google Cloud, it looks like things are still going well – the core collaboration team is happy, and so are the users.

Integrating Adobe with Office 365

Adobe and Microsoft announced several new integrations between their respective services last month, bringing PDF services into the online versions of Word, Excel and PowerPoint, PDF preview capabilities to SharePoint and OneDrive for Business, and the ability to combine files directly in the browser.

More fully, you get the ability to:

– Open and view PDFs online with Adobe’s high-quality web-based PDF previewer.
– Create password protected Adobe PDFs that preserve fonts, formatting, and layouts.
– Manipulate existing PDF documents by deleting, reordering, or rotating pages in a PDF.
– Combine multiple Microsoft files and PDFs into a single PDF that you can use for archiving or distribution.
– Convert PDFs into editable Microsoft Word, Excel, PowerPoint, or RTF files from your mobile device or online while preserving fonts, formatting, and layouts.

The integration has to be enabled by an Office 365 administrator, and you’ll need a subscription to Adobe Document Cloud in addition to the Office 365 one.

Nudges in MyAnalytics

Microsoft is adding small coaching nudges to Outlook – on the Web shortly, in Outlook for Windows during 2018, and perhaps sometime for Outlook on Mac, iOS and Android.

These nudges are:

… useful suggestions, tips, and best practices around managing email and running meetings. They help inform and guide you in making effective email and meeting decisions. They can also help you to reclaim focus hours and build better collaboration habits, in addition to other practical benefits.

The initial categories of nudges are about:
– getting more time to focus, e.g., to book time for focused work
– reducing unnecessary time in meetings, e.g., by sending someone else
– keeping track of commitments, e.g., outstanding to-do items, other unread email from a given person
– reducing after-hours work and team impact, e.g., by signaling urgency levels on emails sent out of hours

As I said yesterday, these are good, small, positive steps in the right direction for cultivating more productive habits.

I hope Microsoft adds more capabilities to these nudges over time. For example:

  • For reducing unnecessary time in meetings – the nudge could also be about other fundamentals of effective meetings, like the necessity of a strong agenda. For example, “there’s no clear agenda for this meeting; ask for one to be created” could be a nudge. Or if the person’s role in the meeting is just about hearing information, the nudge could be “request access to the meeting notes after the meeting.” Perhaps a meeting doesn’t require the original invitee or any delegate to attend at all.
  • For reducing after-hours work and team impact – the nudge should include the option for holding the message for delivery until the recipient starts work on their next business day. Outlook already has a delayed delivery capability; this could be leveraged as part of the nudge. And rather than nudging every time, this could be a configurable setting in Outlook – that messages are always delivered at the start of each recipient’s business day (for one-to-one emails).

And clearly these nudges should be in many other places in Office 365 – Microsoft Teams, Skype for Business, Planner and more – but Microsoft has to start somewhere, and Outlook is a good enough place to start.

Finally, this is interesting from the perspective of adoption and effective use of Office 365. In the workshop I just linked to, I talk about focusing on cultivating the human behaviours that underlie the use of tools (e.g., in Extending Effective Use, the section called Train on Core Behaviours, where my conclusion is “When the capabilities of tools outstrip the capabilities of people to act/behave in the best way, tool usage is ineffective”). These nudges aren’t about standard training tips on how to use the software, but rather about advanced behavioural habits on how to use the software capabilities effectively.

I’m jazzed to see where MyAnalytics Nudges and the wider Workplace Analytics solution goes.