Using Do not Forward or Encrypt Only as the results of a Sensitivity Label
Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.
As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:
I've covered these in earlier blogposts, but lets just quickly go through them again here:
"Encrypt/Encrypt-Only" option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection).
When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it. For example, in the Outlook client, the Forward button is not available, the Save As and Print menu options are not available, and you cannot add or change recipients in the To, Cc, or Bcc boxes.
And these options are great to have, but as you also may know, they can be used as the result of a Sensitivity label.
But some of the limitations of this may not be immediately appearant. We have a strong control over our sensitive info when using Sensitivity labels, and some of the features we love about that control is lost when we use DNF or EO.
The option to restrict how long someone will be able to read the information
When we create a sensitivity label, we have a couple of awesome features that gives us a lot of control. Some of these where covered in this post, but we will say a little something about them here. When we configure the encryption settings, we can specify some important things:
- How long will the recipient be able to read the document.
- How long will the recipient be able to read the document without re-authenticating.
- Should the recipient even be allowed to read the document without authenticating every time?
And here we see where we can say that the recipient should have to authenticate either after a number or days, or every time.
And what we do when we don't want the recipient to have access anymore.
And when we use DNF and EO instead of Assign permissions now, these options are missing. You do however have the option to Remove external access which is awesome:
But know that if you used DNF or EO on the email only, and did nothing extra to secure the attachment, the user could have downloaded a copy and done all kinds of things with it, so you really only secure the content of the email. This also brings us back to the post I wrote about protecting our content if it get's into the wrong hands.
There may be many other things to consider when creating a sensitivity label for external email, and if you have anything to add, please let me know either here in the comments section or on twitter. (@pewinther)