TechEd Europe 2014: Windows 10 Enterprise Data Protection

More details of data loss prevention (DLP) features in Windows 10 were revealed recently at TechEd Europe 2014 in Barcelona. In contrast to third-party systems, such as Samsung Knox for mobile and desktop solutions for Windows, DLP will be deeply integrated into Windows 10 to contain data at the file-system level so that the technology works transparently to users.

Windows 10 Security: Cross-platform sharing

In Microsoft’s new client DLP solution, Windows acts as an access control broker to data that’s secured at the file-system level, unlike other products that are built on top of the OS. Not only will it work on Windows, but APIs will allow iOS and Android to access data protected by Windows 10 DLP to provide a similar experience as possible, despite the lack of deep integration that’s possible in Windows. While programs will need to be updated to work with Windows 10 DLP, reader and viewer apps will be made available so users can access content when there are no available updates.

DLP will be deeply integrated in Windows 10.

Protection everywhere

Windows 10 DLP protects data in transit and at rest, which includes removable devices, such as USB sticks. Administrators will be able to remotely wipe devices and control which apps can access corporate data. This idea has also been extended to virtual private networks (VPN), and organizations will be able to define which apps are allowed to work over VPN. Third-parties will also be able to integrate with Windows 10 DLP using APIs, including applications in the cloud.

Differentiating corporate and personal data

Windows 10 DLP intelligently differentiates between corporate and personal data via a few different mechanisms. Organizations can define domain names that are marked as corporate, so for example when data is loaded from an organizational Office 365 account, it is marked as company data.

Apps can be also set to only work with corporate data, and they can also create new content that must be categorized as corporate, but system administrators will have the option to allow end users to determine how data is categorized when initially saving files.

Finally, although Windows 10 doesn’t rely in any way on data being saved to a particular location to be protected by DLP, organizations can define locations where all data must be categorized as corporate.

One point that was stressed today is that there are no plans to introduce file classification on the client, so Windows 10 DLP will not be able to scan the contents of files to determine how they should be categorized. Depending on customer feedback, file classification will remain a server-only feature, but could be introduced on the client at a later date.

Windows 10 DLP setup and management

DLP solutions have been traditionally difficult to set up and manage and have required users to manage different profiles or apps to work with protected data. Windows 10 DLP aims to remove users from the equation in most instances and are only involved in decisions about how data is categorized when creating new content if policy doesn’t enforce that content must be categorized as corporate.

For cloud-based environments, Mobile Device Management (MDM) will manage the encryption keys, and for onsite systems, System Center Configuration Manager (SCCM) will take on this role, with the underlying key-management technology likely to be Rights Management Server (RMS), although a final decision has yet to be taken. Windows 10 DLP is currently being referred to as Enterprise Data Protection, but again this is likely to change before Windows 10 is released to manufacturing sometime in the second half of 2015.