A strong culture of accountability allows Microsoft to support self-service, where employees can create the resources they need without asking for IT support. This philosophy of empowerment is getting a big boost thanks to a recent migration to Microsoft Information Protection sensitivity labels in Microsoft 365, which automatically enforce policy based on group owner classification of shared workspaces.
“If you don’t know what you have, how do you decide what to protect?” says David Johnson, a principal program manager with Microsoft Digital, the organization that powers, protects, and transforms Microsoft. “Labels mean employees can tell us what matters and then we can put policies around it.”
Labels aren’t a new thing for Microsoft, they’ve long been a tool to help classify and protect important groups and documents.
But the labels themselves only informed custom solutions to apply rules; there was no actual protection coming from the label. Now, Microsoft can protect Microsoft 365 groups, SharePoint, Teams, Yammer, and other containers by assigning a sensitivity label in Microsoft 365.
The governance space is an interesting intersection between security and compliance. Governance is a user-level reckoning of who has access to things. Do the right people have access? Do you know that it’s secured? Should it and could it be shared?
–Dave Westhoff, senior software engineer, Microsoft Digital
“The old labels were descriptive; the words have cultural meaning, but enforcement was done after the fact with custom solutions,” Johnson says. “This meant enforcement was retroactive. The group was labelled, but security policies weren’t applied until an administrator ran a custom script.”
Moving to sensitivity labels wasn’t as simple as flipping a switch. Custom solutions and years of older labels had to be retired, rerouted, and reconfigured seamlessly, new classifications had to be developed and adopted, and Microsoft’s users had to be able to work without disruption.
[Find out more on how Microsoft moved to sensitivity labels. Learn how Microsoft uses Azure Information Protection to classify and label corporate data. Discover how a modern data governance strategy accelerates digital transformation.]
Transforming the way labels work
“The governance space is an interesting intersection between security and compliance,” says Dave Westhoff, a senior software engineer with Microsoft Digital. “Governance is a user-level reckoning of who has access to things. Do the right people have access? Do you know that it’s secured? Should it and could it be shared?”
Prior to sensitivity labels, Microsoft’s container labels were nothing more than strings of text in Microsoft Azure Active Directory (AAD). Users could apply the appropriate classification, but that wouldn’t give the label any enforcement.
“There’s nothing innate in AAD that says, ‘You can’t do this thing because of the label,’” Westhoff says.
Custom scripts run by administrators applied rules to the workspace. The gap between creation and enforcement was a concern.
“There was no way to get between the user and the action,” Westhoff says. “It could be a day or a week later. We couldn’t prevent a bad state.”
This complex problem is somewhat unique to Microsoft.
“It’s a challenge that others won’t necessarily face,” says Katia Gomes Cavalcanti, a senior program manager with Microsoft Digital. “We were coming from a prior solution for classification and labeling.”
Outside of custom solutions for policy enforcement, Microsoft had other custom tools relying on AAD labels. These solutions had to be maintained to preserve governance, which meant they also had to be carefully retired or remapped as Microsoft Digital moved to Microsoft Information Protection sensitivity labels in Microsoft 365.
“We’re one of the biggest enterprises in the world to convert from AAD to sensitivity labels,” says Mohana Ekambaram, a program manager with Microsoft Digital. “It’s not a green field approach.”
In addition to the large size and existing framework, there was no way to gradually deploy sensitivity labels. Instead of a ring-based deployment, sensitivity labels would be tenant-wide as soon as they were activated.
“All the workloads must be in position,” Ekambaram says. “If a group does not have the capability, it will break the functionality.”
This meant carefully analyzing the environment.
“The first step was to identify all the processes we have in place that were relying on the AAD classification scheme,” Gomes Cavalcanti says. “Not all of the workloads would be surfacing the new sensitivity labels from the get-go; they had different timelines. We needed to co-exist for a period of time.”
But before they could start any of the technical work, Microsoft Digital had to engage with stakeholders from across the company.
Aligning on governance
“Container labels drive culture,” Johnson says. “Label definition is going to create awareness and corporate buy-in. It has to be intuitive. It has to have meaning that people will get behind.”
Users are unlikely to understand the full breadth of rules and settings that make up a security policy, but they’ll be familiar with concepts like “General” and “Highly-Confidential.” Selecting the right terms for labels meant the right policies could be adopted without much difficulty.
“It makes life simple for the business,” Johnson says. “Over time, you want there to be a rationalized hierarchy. You’re defining terminology that the company is blessing, but it also defines how open or closed you are.”
Johnson sees culture as being an important part of a good governance policy, especially one that supports self-service. If stakeholders cannot align on label taxonomy and policy, labels will be meaningless.
Fortunately, Microsoft Digital was able to establish intuitive labels that were backed up by specific policies, defining several important security settings for a group, like privacy, sharing, and guest access.
One label to rule them all
Sensitivity labels in Microsoft 365 did more than shift enforcement from reactive to proactive, they also allowed Microsoft to unify document and container labels in a single place.
“There used to be multiple concepts of labels,” Westhoff says. “Document labels are different than AAD labels, for example. Under the hood, the new sensitivity labels are unified.”
With sensitivity labels, Microsoft Digital can now manage containers and documents from the same location, using the same taxonomy and policies. This reduces the workload on administrators who help enforce governance.
While there’s currently no relationship between containers and documents as it relates to policy, this unification allows Microsoft to build towards a long-term governance strategy.
“Today, there’s no connection between container labels and document labels; there’s no inheritance,” Johnson says. “But we’re connecting the dots to a forward-facing state where a highly-confidential document can’t be placed in a Teams group that everyone has access to.”
Migrating to a new kind of label
Having aligned on taxonomy and policy, a clear timeline was charted out between the different stakeholders defining which tasks had to be completed to migrate from AAD to sensitivity labels. Additionally, a rollback plan was put in place as a contingency.
“Once the solution was enabled, it was live for the whole tenant,” says Gomes Cavalcanti. “We had to define a migration that would allow us to go back if needed.”
Testing was done to try and simulate the migration, identifying scenarios that might force the team to halt and re-consider.
“We had to log everything so that we could revert to the last good state,” Ekambaram says. “We didn’t have to execute it, but we needed a failsafe just in case.”
Having charted out the path, Microsoft Digital could start remapping and removing custom tools that previously called AAD labels.
“It’s ripping out old references, doing updates, locating calls and permissions,” Westhoff says. “Pretty straightforward engineering stuff.”
After the old references were pulled, a weekend was identified and the migration was scheduled. An administrator ran a PowerShell script on a Friday at the end of the workday and the migration was completed by Sunday.
“We did a lot of post-deployment in terms of validating our tenant,” Westhoff says. “We were checking to see if legacy applications or custom tooling could still make groups without labels. We did a lot of the hard work in terms of identifying dependencies and exceptions early, so we didn’t have a lot of cleanup or help desk calls.”
Good governance empowers users
As an organization, Microsoft can now assign rules as a label. This is critical in promoting a self-service environment.
“We invested a lot of time trying to figure out a process to quickly move from AAD to the new sensitivity labels,” Gomes Cavalcanti says. “It was a lot of back and forth with stakeholders, but we’re now able to easily enforce policies based on labels.”
This opens the door for better protections and guiding principles across Microsoft.
Trust but verify enables self-service. We started with 86 percent of our containers labelled. We’re now moving closer to 100 percent. If your data state is labeled that effectively, it’s easy to understand what matters.
–David Johnson, principal program manager, Microsoft Digital
“We can now piggyback several compliance policies on top of labels,” Ekambaram says. “It’s a quicker and easier way to push policies and enforcement.”
Now that sensitivity labels are rolled out across Microsoft, whenever a user creates a new group, they’ll be prompted with a common set of classifications to apply to the workspace. Selecting the label applies the correct governance setting to the container. With each new group, Microsoft extends its philosophy of accountability.
“Trust but verify enables self-service,” Johnson says. “We started with 86 percent of our containers labelled. We’re now moving closer to 100 percent. If your data state is labeled that effectively, it’s easy to understand what matters.”