Introducing Windows Information Protection


Guest author: Chris Hallum

With Windows 10 we made it a goal to make security one of the biggest benefits and one of the most compelling reasons to migrate from Windows 7. As you may have seen in our blogs released earlier today, the Windows 10 Anniversary Update continues to make big investments across our key pillars of security, which include identity protection, threat resistance, and information protection. This blog will drill down a bit deeper on what we’re doing on the information protection front, the most relevant of which is the announcement that Windows Information Protection (WIP) – formerly referred to as enterprise data protection (EDP) – will ship in the upcoming Windows 10 Anniversary Update.

Before we get into the details of what Windows Information Protection is and what our other information protection technologies will offer in the Anniversary Update, let’s quickly set the stage on why our customers are asking for improvements in this space. Here are a couple of sobering facts: 87% of senior managers have admitted to leaking data to unmanaged personal locations (email, cloud storage). 58% of us have sent email with business data to the wrong person. Then there is the cost of data breaches, which totals about 240.00USD per record.

Imagine that scaled across tens or hundreds of thousands of records! Regardless of what the statistics say, and the debates around some of them, we do know how easy it is for users to either accidentally leak sensitive business information to unauthorized locations.

In the mobile-first, cloud-first world this problem is only getting more complex as data no longer resides within your perimeter. When you couple that fact with the realization that the costs of data leaks have transitioned from the hypothetical to the highly quantifiable, it’s no wonder that our customers have been urging us to provide solutions.

To help approach challenges like this, we like to break things into models. For information protection, we’ve built our model around the following buckets and scenarios, which we believe need be fulfilled in order to provide our customers with a comprehensive solution.

Information security starts with Device Protection, meaning you need a solution that can protect your data while it’s at rest, even if the device is lost or stolen. Windows includes BitLocker for this scenario, and with the improvements in Windows 8.1 and 10, we’re confident that our customers will find it has become the best choice in the marketplace. We’ll talk more about that later on in this blog.

The next thing customers need to protect their business data is a solution that has the means to identify personal vs. corporate data, such that it can be contained and securely wiped on demand. Prior to Windows 10 Anniversary Update, the operating system provided no answer for this scenario and customers had to go to third parties if they wanted a solution in this space.

Next, customers need the ability to prevent business data from leaking in an unauthorized way. For instance, customers need a solution that can prevent data from being copied from corporate documents into non-corporate locations (e.g.: Twitter) and, additionally, they need the ability to make sure that only authorized apps have access to business data. Prior to Windows 10 you had to rely on applications capabilities like Office DLP or Azure Rights Management.

Finally, our customers need the ability to help ensure that business data can be securely shared with others within and outside of their organization. Again, these scenarios requires the use of additional Microsoft products like Office 365 and Azure Rights Management.

Prior to the Windows 10 Anniversary Update, Microsoft had offered capabilities across most of these spaces, but our customers have told us that they want to see more of the information protection stack in Windows itself. To be clear, this wasn’t a request to move all of Office 365’s and Azure Rights Management capability into Windows. Rather, for us to move some of the basics into Windows to provide what is often called “the fundamentals of information protection” right in the box.

Windows Information Protection is the answer to this request. With it, Windows now includes the functionality necessary to identify personal and business information, determine which apps have access to it, and provide the basic controls necessary to determine what users are able to do with business data (e.g.: Copy and Paste restrictions). Windows Information Protection is designed specifically to work with the Office 365 ProPlus and Azure Rights Management, which can help protect business data when it leaves the device or when its shared with others (e.g.: Print restrictions; Email forwarding).

BitLocker

As mentioned earlier, information protection starts with securing the device and data so that – if it’s lost or stolen – unauthorized users won’t be able to gain access. BitLocker is our solution, and with Windows 10 we’ve made significant enhancements that address some of the biggest challenges that encryption vendors and customers have faced in the past.

For starters, one of our biggest goals was to make BitLocker one of the easiest solutions to provision – in some cases even providing automatic provisioning right out of the box. Unlike Windows 8.1, there is no longer a dependency on InstantGo hardware for device encryption. If the PC is capable, it will be protected with device encryption as soon as a user signs into the device with administrative privileges. Our Surface devices – starting with Surface 3 and beyond – are all ready for device encryption, as are select devices from OEM’s.

If your last look at BitLocker was with your Windows 7 deployment, you may have looked elsewhere as BitLocker initially lacked enterprise grade management. That gap has since been addressed with a feature rich solution that we call Microsoft BitLocker Administration and Monitoring (MBAM). MBAM includes all of the tools customers need to simplify provisioning at scale, monitoring and reporting on compliance, and for executing recovery scenarios.

The last key area that customers have asked for improvements on is Single Sign-On (SSO). With Windows 8.1, we made improvements that enabled tablets to securely run BitLocker without a PIN, thus giving BitLocker both TPM based pre-boot authentication and SSO. With Windows 10, we’ve made changes to the way DMA ports in Windows 8.1 or newer certified devices are handled, so that an even broader range of devices can use TPM based pre-boot authentication and SSO. These changes protect the device from well-known BitLocker bypass attacks like those from Passware, ElcomSoft, and Princeton which were only possible on legacy devices where PIN protection was not used. For more information, we have a detailed whitepaper called Protect BitLocker from Pre-boot Attacks, which can be found on the Windows Technet site.

As you plan your migration to Windows 10, one of the big decisions you’re going to make is what disk encryption solution you’re going use. BitLocker is now a perfect choice, as it has the security and management that you need and a level of integration that make it easier use and deploy than any other solution in the market place. Make sure to evaluate BitLocker as part of your Windows 10 deployment planning process.

Windows Information Protection

BitLocker is a great solution for protecting data when a device is lost or stolen, but how can you protect your data from users who may accidentally leak data? This is where Windows Information Protection (WIP) from the Windows 10 Anniversary Update is here to help.

Today, many vendors offer data loss prevention solutions with data separation, containment, and leak protection. One common problem, though, is that while they can protect data pretty well, it often times comes at the expense of the user experience.

On mobile devices, there are many MDMs that require users to switch modes or even apps to protect data. For example, with some solutions users can’t use Outlook, and instead they need to use a MDM email client that is optimized for securing data and only provides basic email capabilities. In the case of Knox, users have to switch modes to securely work on business data, as Android needs to physically isolate business data within a container to keep it secure from other apps and Android itself.

For the desktop, there are solutions that are better integrated into Windows, but few customers use them as they’re expensive, complex to maintain, and still introduce an undesirable level of friction for users.

The challenge with these solutions is that they can’t provide the ideal user experience unless they’re integrated into the platform itself. Microsoft is in a position to make that happen — which is exactly what we’ve done with Windows Information Protection (WIP).

Unlike the third party solutions that we’ve just talked about, WIP is a solution that is easy to deploy and doesn’t get in the way of the user experience. Just turn on a few policies in your MDM (e.g.: Microsoft Intune) or System Center Configuration Manager and WIP is ready to go.

WIP’s capability is fully integrated within the experience your users are already familiar with, and they can continue to use the apps that they, or IT, choose to access protected content. WIP doesn’t require users to use special folders, change modes, use alternate apps, move into secure zones or partitions, etc. Instead, the solution works completely behind the scenes and helps protect data wherever it lives on the device. It can even continue the protection when data is copied to removable storage devices such as a thumb drives.

Because WIP is integrated into the platform, most of your existing apps (including your LOB’s) will work with WIP without modification, app wrapping etc. This is a big differentiator given that, in most cases, third party solutions frequently force users to use completely different apps on mobile vs. desktop devices. For example, your users may use Outlook on the desktop while using a basic third party email client on their phone. For advanced apps that have the ability to work on personal and business data in parallel, or have the ability to egress data outside of the corporate boundary (e.g.: Outlook), changes to support WIP are required. Another option that can also work is setting a policy to force them to consider all data business related. The Office 2016 Universal Windows apps have already been updated to support WIP, and we are working with third parties as needed.

When it comes to leak protection, WIP helps ensure that only authorized users and apps have access to business data. This even works on devices with multiple user profiles. In addition, WIP helps content from business documents from leaking through copy and paste operations.

WIP allows users to freely copy content between business apps and documents, but it won’t allow the data to leak into the personal or public domain unless IT chooses to allow it with a policy. In this case, auditing will occur in the background and your users will be encouraged to act responsibly and in a way that is compliant with your corporate policy.

So at this point you’ve heard about WIP’s capabilities but if you’re like me you’d probably like to solidify that understanding with some visuals to make sure you got it right. Here some screen shots and narration to help you better understand what the user experience of WIP will be like for your users.

In this first screen shot you can see Microsoft Edge and everything looks just like you expect. Microsoft Edge though is one of those apps that can work on both personal and business data in parallel and as a result we had to enhance it to understand how to interact with WIP protected data.

With these enhancements when the user navigates to from a personal to a business website Microsoft Edge will start enforcing business rules on the site. As you can see here the user has navigated to a business website and in this case a briefcase will appear near the address bar to indicate that business rules, such as those for copy and pasting data, are now in effect on the site.

While on a business website a user may choose to download a document and in this case they will be given an opportunity to save the document locally on their device. WIP already knows that the data is business related because of the origin of the data and as a result it automatically defaults to protect the data when it is saved. Optionally policy could be set to enable the user to change it to personal from the Save As dialog but in this example IT policy has been set to prevent it.

Once saved locally users can identify business vs. personal data in folders with the File Ownership column. Depending on policy, IT may enable the user to switch the data from personal to business related or vice versa, or IT can block changes as shown in the image below where the option to the data type has been grayed out.

One last scenario worth mentioning is related to copy and paste scenarios. In this image you can see a business related document in Microsoft Word and you will notice the brief case is visible signaling that a business document is currently being viewed or edited. This type of badge will appear on any application that is working on business data.

If the user attempts to copy’s content from this document and paste into another app or a document that is not business related WIP will either warn or block the user depending on IT policy.

When we designed WIP, we set a goal to create a solution that almost every customer would be willing to deploy. We knew that had to be super easy to deploy, it needed to work with existing apps, and it couldn’t get in the way or require too much user interaction. We wanted it to work great for both SMB’s and enterprises, and based on the feedback that we have received so far, we believe that we’ve achieved that goal. WIP was designed to provide the “the fundamentals of information protection” that customers asked us for right in the box, and it’s been dovetailed so that it can work with Azure Rights Management and Office 365 to help take data leak prevention to an even higher level.

So there you have it. We believe that we have an exciting information protection offering for you in the Anniversary Update. I’d encourage you to start evaluating our much improved BitLocker and our brand new Windows Information Protection capabilities as part of your Windows 10 proof-of-concepts and evaluations.

Comments (6)

  1. Gareth says:

    Is WIP only available on Windows 10 Enterprise SKU?

    1. WIP is available in Windows 10 Professional SKU and up.

  2. Mike says:

    Can you point me to a whitepaper how this would be done for Windows 10 Mobile with for example Outlook? Thanks!

  3. Eric says:

    I have a WIP profile installed in some windows 10 systems, when r-click a file and change the file owner to the group, such as company.com. Normally, once I change the owner to group(domain), the file can not be moved to a network shared folder and prompt “permission is required”. But I have one system has no such restriction, i.e., file still can be copied or moved to share folder w/o freely. May I know what makes the difference? Will joining or not joining in a domain impact the result?

    1. Explorer also checks if the endpoint belongs to the enterprise. A share that falls within your Enterprise IP Range and has a domain name under your Enterprise Network Domain Names will be treated as work, and you can freely copy work data there. Also, if you copy data down from such a share it will be protected automatically on your device. If it doesn’t get detected as a work location, it’ll be treated as personal, and policy can prompt you about disclosure.

Skip to main content