CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

Protect your Data with Windows Information Protection (intro)

by · March 27, 2019

This post is a part of series posts the focus on Windows Information Protection from the basic to deployment and configuration.

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience.

WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.

Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.

Windows Information Protection (WIP) is a great solution for companies who want to enable a bring-your-own-device solution and at the same time protect corporate data.

Post Contents Show

Data separation & Windows Information Protection

The main idea behind Windows Information Protection (WIP) is to keep work and personal data separate and protect corporate data.

As a result, WIP can help reduce the risk of (accidental) data leaks through for example apps and email services like g-mail which are outside of the enterprise’s control. Therefore, WIP needs to know the difference between personal and work-related data.

Enterprise Data

WIP adds a tag to corporate data defined by your corporate identities like contoso.com and network boundaries like contoso.sharepoint.com.

Therefore data is automatically encrypted when saved from these corporate sources to your device using Windows Encrypting File System (EFS). In other words, WIP does not encrypt your files on SharePoint or OneDrive.

It only encrypts corporate data saved to your device. Using WIP without enrollment (MAM), administrators can identify which apps are allowed to access corporate data and whether users can copy data from those files and then paste that data into personal documents.

Personal data

Performing a selective wipe will not delete personal files and when the user removes his or her workplace account only corporate data is removed.

Protected corporate data will be revoked and inaccessible once a device is unenrolled from Azure AD. Administrators can also remotely wipe corporate data from the device while leaving personal data untouched.

Enlightened applications vs Unenlightened applications

There are two kinds of applications you need to know about; Enlightened applications (MAM aware) and Unenlightened (MAM Unaware) applications.

The difference is that enlightened apps can differentiate between corporate and personal data whereas unenlightened apps cannot. Office 365 ProPlus apps like Word, Excel, PowerPoint, OneNote, and Outlook are enlightened apps. Google Chrome, Firefox or Wordpad are examples of unenlightened apps.

If you want unenlightened apps to be able to access corporate data and encrypt files, you will have to add it to the WIP policy as an allowed (managed) application.

When you do configure unenlightened apps as corporate-managed they will consider all data to be corporate, encrypting everything created or edited by default so think about this before you add unenlightened apps. Microsoft recommends only adding LOB apps to your allowed apps list.

App Protection Policies with WIP

You can configure two kinds of policies for Windows Information Protection (WIP) to ensure corporate data remains safe or contained in a managed app. WIP with Enrollment in Mobile Device Management (MDM) and WIP Without Enrollment in MDM.

Choosing the right solution will help you target the right group of users. WIP with enrollment in MDM  is for organizations managing devices using an MDM solution like Microsoft Intune.

If you only want to manage the applications and data, you can use the mobile application management (MAM) solution where there is no need to fully MDM enroll devices. A policy can be a rule that is enforced when the user attempts to copy/past corporate data to an unsanctioned application or location.

WIP with Enrollment

When you enroll a device in a mobile device management solution like Microsoft Intune you can manage the device from a central management portal.

In most cases, MDM enrolled devices will be corporate. These devices are targeted with WIP policies for enrolled devices (WIP With Enrollment) and you will have full control over these devices.

WIP without Enrollment (WIP-WE)

Users find full device management for BYO devices somewhat intrusive and rather prefer a less intrusive method where only the data in applications are managed.

Assuming you don’t have automatic MDM enrollment enabled for your tenant, upon adding a work account the device will register in Azure AD and you will be able to manage corporate data without the need to fully manage the device with Microsoft Intune. These users can be targeted with WIP Without Enrollment (WIP-WE).

Windows information protection without enrollment is sometimes referred to as WIP-WE or MAM-WE. Mobile Application Management protects an organization’s data within an application.

With MAM without enrollment (MAM-WE), an app that contains corporate data can be managed on corporate devices or personal devices in bring-your-own-device scenarios. MAM only manages the data in applications, where MDM can manage a device.

Prerequisites for WIP

To get you going you’ll need to have the following in place;

  • Intune enabled as the MDM authority
  • Windows 10 1703 and above (Windows Edition = Pro, Enterprise, Education)
  • EMS E3 licenses (Based on Intune and Azure AD premium P1)
  • Configure your MAM provider in Azure AD (Based on WIP without enrollment)

Notes:

  • Windows Home edition supports WIP for MAM-only
  • WIP doesn’t support multi-identity. Only one managed identity per device
  • WIP protects enterprise data locally and on removable media
  • WIP gives admins the ability to revoke corporate data while leaving personal data alone

Putting WIP in Context

WIP is not an impenetrable security system that will guarantee that no one ever shares corporate data, accidentally or on purpose, with people who aren’t supposed to have it. It does make it easier to avoid sharing mistakes.

The WIP policy controls and auditing give you a useful set of tools for protecting against and responding to the kinds of incidents that might lead to a data breach. In that light, WIP is a valuable addition to your security toolbox.

Follow me on Twitter: https://twitter.com/EliShlomo

Protect your Data with Windows Information Protection (intro)

by · March 27, 2019

This post is a part of series posts the focus on Windows Information Protection from the basic to deployment and configuration.
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience.
WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
Windows Information Protection (WIP) is a great solution for companies who want to enable a bring-your-own-device solution and at the same time protect corporate data.

Data separation & Windows Information Protection

The main idea behind Windows Information Protection (WIP) is to keep work and personal data separate and protect corporate data.
As a result, WIP can help reduce the risk of (accidental) data leaks through for example apps and email services like g-mail which are outside of the enterprise’s control. Therefore, WIP needs to know the difference between personal and work-related data.

Enterprise Data

WIP adds a tag to corporate data defined by your corporate identities like contoso.com and network boundaries like contoso.sharepoint.com.
Therefore data is automatically encrypted when saved from these corporate sources to your device using Windows Encrypting File System (EFS). In other words, WIP does not encrypt your files on SharePoint or OneDrive.
It only encrypts corporate data saved to your device. Using WIP without enrollment (MAM), administrators can identify which apps are allowed to access corporate data and whether users can copy data from those files and then paste that data into personal documents.

Personal data

Performing a selective wipe will not delete personal files and when the user removes his or her workplace account only corporate data is removed.
Protected corporate data will be revoked and inaccessible once a device is unenrolled from Azure AD. Administrators can also remotely wipe corporate data from the device while leaving personal data untouched.

Enlightened applications vs Unenlightened applications

There are two kinds of applications you need to know about; Enlightened applications (MAM aware) and Unenlightened (MAM Unaware) applications.
The difference is that enlightened apps can differentiate between corporate and personal data whereas unenlightened apps cannot. Office 365 ProPlus apps like Word, Excel, PowerPoint, OneNote, and Outlook are enlightened apps. Google Chrome, Firefox or Wordpad are examples of unenlightened apps.
If you want unenlightened apps to be able to access corporate data and encrypt files, you will have to add it to the WIP policy as an allowed (managed) application.
When you do configure unenlightened apps as corporate-managed they will consider all data to be corporate, encrypting everything created or edited by default so think about this before you add unenlightened apps. Microsoft recommends only adding LOB apps to your allowed apps list.

App Protection Policies with WIP

You can configure two kinds of policies for Windows Information Protection (WIP) to ensure corporate data remains safe or contained in a managed app. WIP with Enrollment in Mobile Device Management (MDM) and WIP Without Enrollment in MDM.
Choosing the right solution will help you target the right group of users. WIP with enrollment in MDM  is for organizations managing devices using an MDM solution like Microsoft Intune.
If you only want to manage the applications and data, you can use the mobile application management (MAM) solution where there is no need to fully MDM enroll devices. A policy can be a rule that is enforced when the user attempts to copy/past corporate data to an unsanctioned application or location.

WIP with Enrollment

When you enroll a device in a mobile device management solution like Microsoft Intune you can manage the device from a central management portal.
In most cases, MDM enrolled devices will be corporate. These devices are targeted with WIP policies for enrolled devices (WIP With Enrollment) and you will have full control over these devices.

WIP without Enrollment (WIP-WE)

Users find full device management for BYO devices somewhat intrusive and rather prefer a less intrusive method where only the data in applications are managed.
Assuming you don’t have automatic MDM enrollment enabled for your tenant, upon adding a work account the device will register in Azure AD and you will be able to manage corporate data without the need to fully manage the device with Microsoft Intune. These users can be targeted with WIP Without Enrollment (WIP-WE).
Windows information protection without enrollment is sometimes referred to as WIP-WE or MAM-WE. Mobile Application Management protects an organization’s data within an application.
With MAM without enrollment (MAM-WE), an app that contains corporate data can be managed on corporate devices or personal devices in bring-your-own-device scenarios. MAM only manages the data in applications, where MDM can manage a device.

Prerequisites for WIP

To get you going you’ll need to have the following in place;

  • Intune enabled as the MDM authority
  • Windows 10 1703 and above (Windows Edition = Pro, Enterprise, Education)
  • EMS E3 licenses (Based on Intune and Azure AD premium P1)
  • Configure your MAM provider in Azure AD (Based on WIP without enrollment)

Notes:

  • Windows Home edition supports WIP for MAM-only
  • WIP doesn’t support multi-identity. Only one managed identity per device
  • WIP protects enterprise data locally and on removable media
  • WIP gives admins the ability to revoke corporate data while leaving personal data alone

Putting WIP in Context

WIP is not an impenetrable security system that will guarantee that no one ever shares corporate data, accidentally or on purpose, with people who aren’t supposed to have it. It does make it easier to avoid sharing mistakes.

The WIP policy controls and auditing give you a useful set of tools for protecting against and responding to the kinds of incidents that might lead to a data breach. In that light, WIP is a valuable addition to your security toolbox.

Follow me on Twitter: https://twitter.com/EliShlomo

Tags:

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: