Getting Started with Windows Information Protection
In my previous article on Windows Information Protection, I described how Windows Information Protection (WIP) and Azure Information Protection (AIP) work together to help protect organizations against data loss and leakage. In this article, I’ll dig into WIP’s requirements, how it works, and how you can use it.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Separating Personal and Business Data
The main idea behind WIP is simple. WIP applies tags to files and web pages to mark them as coming from an enterprise source. When you copy a file from OneDrive, copy text from an intranet web page, or open an email attachment, WIP knows based on the source of that object whether it’s work-related or not. It then restricts what you can do with the data item based on the policy that’s in force. By tagging work data as such, the idea is that applications, services, and users can keep work and personal data separate and keep work data from being sent or copied where it doesn’t belong. That means that WIP has to be aware of two things: whether a given data item is enterprise or personal and where the data item came from in the first place.
Windows Information Protection Components
WIP is made up of a few key components:
- Applications: You can use existing applications with WIP without changing them. For example, if you have a line-of-business application, you can configure it to work with enterprise-owned data without changing the app itself. You can also use enlightened applications that can honor WIP policy controls and allow you to work with both work and personal data together.
- Windows 10 Anniversary Edition or later on the desktop: These versions of Windows include APIs that enlightened applications can use. Windows 10 also provides two features that WIP depends on: AppLocker for controlling which applications are allowed to run and the Encrypting File System (EFS) for protecting work-owned files from theft or tampering.
- WIP policies that specify what users are allowed to do, what applications can process data, and what IP addresses, DNS names, and cloud applications should be considered as the source of enterprise data.
- A mobile device management (MDM) tool that publishes the WIP policies to Windows 10 computers. You can use recent versions of SCCM or Intune.
Alice and Bob Use WIP…
Let’s see how WIP works with an example. Alice is a marketing manager for Contoso. Bob is a research scientist for Contoso Labs and Rick is a reporter.
Alice starts her workday by logging into her desktop and browsing the Contoso internet. The Edge browser shows her a briefcase icon in the address bar, showing that the web page she’s reading is work data. She sees an interesting research article, clicks on the headline, reads it, and decides that it would make a good start for a press release. She copies some text from the press release onto her clipboard, opens Outlook, and pastes it into a new mail message to Bob while adding a few questions. WIP allows this because she’s copying data from a work document (the intranet page) into a work message (sent to an internal Contoso recipient). She then creates a new press release using Word, saving it to OneDrive for Business, which WIP allows because ODB is set as a permitted cloud source. So far, this is no different than the way things would work without WIP.
The first change occurs when Alice creates a new mail message to Rick, asking whether he’s interested in writing about the new research. When Alice tries to paste text into this message, she sees an alert telling her that Windows has noticed she might be sharing confidential data and asking her if she really wants to paste it. That’s because the WIP policy, in this case, is set to “allow overrides.” Alice can choose to override the policy and send the message but her decision to do so is logged for auditing.
Meanwhile, Bob copies the press release from OneDrive for Business to his computer, where WIP marks it as an enterprise file. Because it’s marked, it is automatically encrypted with the enterprise WIP key. Bob tries to open it using LibreOffice and can’t because LibreOffice isn’t on the approved application list. He can open it in Word 2016, though, because it’s enlightened. Bob makes a few edits to the press release and saves a copy on a USB stick to take home and work on it later. Unfortunately, the stick falls out of his laptop bag on the way home. A curious passer-by finds it, takes the stick home, but can’t open the document. WIP encrypted it using the enterprise EFS key, which the bystander doesn’t have.
A Little More on Application Access
One of the key selling points behind WIP is that it lets you use your existing applications. Here’s how that works:
- Office 2016 and many of the built-in Windows 10 applications (People, Paint, and so on) are enlightened. They can handle both personal and work data with no trouble, enforcing whatever WIP policy controls are in place.
- If you want an unenlightened app to be able to work with data that comes from an enterprise source, add it to the WIP policy as an allowed application. Once you do, Windows will allow that app to read and write enterprise data by encrypting and decrypting it transparently.
- Unenlightened applications that aren’t listed in the policy can still work with data that is marked as personal. However, Windows won’t decrypt enterprise data for them, nor will it allow pasting or drag-and-drop of enterprise content if the policy blocks it.
Microsoft often mentions AutoCAD as an example– it isn’t enlightened. But adding it to the policy allows users to work normally with CAD files from the corporate network and cloud sources while still preventing data leakage to untrusted applications.
The simplest way to deploy WIP is using Microsoft Intune, which many companies have access to through their Office 365. We’re not going to cover setting up Intune in this article; assuming you already have it set up, adding a WIP policy is pretty easy. Microsoft has complete instructions. Note that the instructions are different according to whether you’re using mobile device management (MDM) or mobile application management (MAM). The most important part of the policy is probably specifying which applications you want to treat as enterprise apps (whether or not they are enlightened) and which apps you want to exempt from WIP enforcement. The second-most-important part is deciding what protection mode you want to apply. Microsoft recommends starting with “Silent” or “Allow overrides” to start, but I prefer using “Silent” for the first 30 days or so to give you a baseline. The baseline will help you understand what users are doing and how they’re interacting with the policy before you start enforcing it.
Once you’ve created the basic policy, you will probably want to use the “Advanced settings” blade of the policy settings to control which cloud services should be treated as sources of enterprise data. These settings control which Internet FQDNs and/or IP addresses should be considered as internal or intranet sources, so once you have them properly set to include your Intranet file and SharePoint servers, Windows Explorer, Edge, and other WIP-enlightened applications will magically treat data from those origins as being enterprise-owned.
The last critical step is to set up a data recovery agent (DRA) certificate. This protects you against data loss caused by corruption or damage to an employee’s local EFS key.
Once you’ve deployed a WIP policy, you can start using it. In ordinary use, you shouldn’t notice any major differences. Users should still be able to get their work done, with the difference that they’ll be warned when they mix enterprise and personal data. You can collect the audit logs and review them to see when users are changing file ownership manually or sharing data against the policy. You can also try deploying the Azure Information Protection client, although that gives you a separate set of functionality that I’ll be discussing in a future article.
Putting WIP in Context
Robert Frost famously said that “good fences make good neighbors.” In that same spirit, WIP is not an impenetrable security system that will guarantee that no one ever shares corporate data, accidentally or on purpose, with people who aren’t supposed to have it. It does make it easier to avoid sharing mistakes. The WIP policy controls and auditing give you a useful set of tools for protecting against and responding to the kinds of incidents that might lead to a data breach. In that light, WIP is a valuable addition to your security toolbox.