Microsoft Information Protection (MIP). Yet another abbreviation you need to know about?

-
If you are following the news from Ignite, you might have heard the abbreviation MIP. Forget AIP. The big news is MIP someone said to me. Sounds a little dramatic right? Is AIP really dead? Well, to calm down everyone who has invested time and effort into AIP: MIP is not taking over for AIP, it is rather a new umbrella that includes AIP and a lot of other security solutions. It can be seen as a new step in the evolution of Microsoft’s overall information protection strategy.



Earlier today I was even asked: “Is all our work with AIP so far just a waste now that MIP is taking over?” No! First, MIP is not taking over, it is just a new security framework or umbrella if you like. It does not change your configuration, and if you have AIP running today, it will continue to work. Right now, it may seem super confusing, so I will try to explain a little here. 

What is MIP?


Microsoft information protection is the next step in protecting your data.  It is not all here today, but from now and in the next months a lot of new and cool functionality will be available for us. I have taken the liberty of stealing some of the slides from Ignite so I hope you will excuse the quality.
The parts that are included in MIP



As you can see Microsoft are now gathering a lot of functionality into “one product”: Microsoft Information protection. And not only that: They are making it better. If you have worked with information protection you probably know a lot of these products from earlier. Office Message Encryption (OME) has been around for a while, same with Windows information protection. (WIP gave us the possibility to separate private and corporate data for instance). AIP is still AIP, and Office 365 DLP and Cloud App Security is known to most of us. 

The good news is that this evolution of information protection makes it even more useful. The introduction of Office 365 sensitivity labels makes it possible to create our labels in one place  (the Office 365 SCC portal), and use it across several services. Microsoft calls it unification, and that sort of sums it up. 

Unification all across the services

And this is probably the reason why so many got confused. Microsoft started talking about MIP at the same time as they started talking about Unified labels, and Unification of the services. They were also showing demos of sensitivity labels created from the Office 365 Security and Compliance portal, and it would be easy to think that this was MIP, and that AIP now was disappearing. Well, it is not.  

Unification basically means that we can create labels in one place and that the labels we create will be visible across the different services. Sounds cool right? Today when we create a label in the Azure portal, it is not visible in the Office 365 SCC portal and the other way around. This will  change.

And MIP, like mentioned before is a way of gathering all the security solutions in Microsoft 365 into one place. Many of you probably a lot of the security solutions that now fall under the MIP umbrella: Office Message Encryption was one thing (even though you could apply AIP labels through messaging rules for instance), Azure Information Protection was another thing, then we had Windows Information protection, and so on. Also you had labels/classifications in Azure, that where not the same as the ones you had in the Office portal. SharePoint used IRM, which was something different all together. We will see how this will evolve, but I think we will see easier and better solutions coming from Microsoft in the next year.

So, when Microsoft talks about consistent (Auto) Classification across Microsoft services and Unified labeling and classification they are actually solving some of the most frustrating issues around information protection. They are giving us the ability to do the work in one place and use it many places, which is something we have wished for a long time. The features coming in the next few months like native labeling in Office apps without the need of a client, native labeling in Office for Mac, iOS and Android, seeing he same labels in SharePoint as we do in other services and much more will be an awesome addition, and something customers have asked for a long time. 

Unfortunately, not all of the features are available yet. According to Microsoft it can take 3-9 months for everyone to be migrated. This is how it looks for me in the new portals: security.microsoft.com and compliance.microsoft.com:

Unification will be rolled out over the next months


So, some of us still have to wait a little longer for some of the most anticipated functionalities like unification of labels/classifications and the unified administration.  But this is being rolled out, and as mentioned, should be available in the next 3 to 9 months. As Microsoft said on their Ignite presentation on MIP:
No need to do it all again


When your tenant is ready, and you have migrated the labels, they will be visible in the Office 365 SCC.

Info: For those of you who have read some of my previous posts all config is done in the Azure Portal, so we will go through how the creation of a label/classification is done in the new portals at a later time.

 

Other MIP news showed on Ignite

One of the other features I really like is the native integration of labeling/classification into the non-windows Office apps. This is pretty awesome. This screenshot is from word on Mac.

Office on Mac


In Office for Windows we still use the AIP client for a while more. But eventually (end of year) the previews of the same functionality should be available. 

Windows devices integrate with MIP.

Windows 10 with Intune, and WIP policies can protect files based on MIP label and is fully MIP label aware. This means that you can be prevented from accidentally copying files to unmanaged apps and sites. As an example, you can be prevented from adding a protected file to gmail for instance. Before, we would send the file, and even though the recipient could not read the protected data, this seems much smoother. It gives more control and allows users to be informed before they make mistakes. 

Native support for PDF files on Adobe Acrobat.

This is very awesome. Thanks to a good working relationship between Microsoft and Adobe, Adobe Acrobat will now be able to understand and honor labels and protection! The entire labeling experience will be built natively into Acrobat. The public preview should be available sometime mid October 2018, with general availability sometime early next year.

 

The monitoring and reporting will be a heck of a lot better (finally).

The M365 Analytics for retention labels is already available. Those of you who spend a lot of time in the AIP section of the Azure portal you may already have noticed these new options:
Configure analytics

If you are an existing AIP customer and have the AIP client rolled out to your users, you can configure analytics to get started. This should give us a lot better visibility into how our classified, labeled and protected files are being used across the different workloads. You can even view the information based on label type, service or application or on how it has been labeled (automatic/manual). We will also be given recommendation on how we can tune policy settings. 

The roadmap looks extremely interesting, and I will write some more post in the coming weeks about the current and coming functionality.

Roadmap

Comments

Post a Comment

Popular posts from this blog

Do not Forward and the protection of attachments

-
Image
Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights.  Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely. Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say:  “When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it . For example, in the Outlook cli
Read more

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

-
Image
Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.  As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:    EO and DNF in Outlook.  I've covered these in earlier blogposts , but lets just quickly go through them again here: " Encrypt/Encrypt-Only " option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be au
Read more