Protect and Manage Sharing of Sensitive Documents

Leave a comment

In my previous post, Classifying and Protecting Data in Office 365, I created an AIP (Azure Information Protection) label / policy that applied a footer text with “Sensitivity: Confidential”.

In this post, I’ll describe how you can take advantage of the properties stored in the document, by applying a rule to protect information sharing.

For example, to protect documents from being sent to external organizations via e-mail, you can configure a rule in Exchange to detect the document properties with a sensitivity label. Here’s an example of the configuration I created.

Exchange Mail Flow Rule

When a user within your organization attempts to send an e-mail with an attachment labeled with ‘Confidential’, the mail flow rule blocks it and the message sender receives the following delivery failure message as seen below (with the recipients e-mail addresses grayed out).


However, if you need to send to your trusted partners or customers, you can add their specific domains to the exception list in the mail flow rule. In the example below, I added one trusted domain to the rule.


With this exception, I was able to send the document labelled with ‘Confidential’ to the external recipients with the domain specified.

With the latest and greatest changes to AIP, and Office 365 Message Encryption capabilities, announced during the recent Microsoft Ignite Conference, the user experience of protecting and sharing your documents may be different than what is written in this post. I’ll continue provide updates and new information becomes available.

If you’re interested in learning more about data classification and protecting your organization’s information assets, feel free to connect with us at


Benefits of Data Classification

1 Comment

Organizations are overwhelmed with data, from e-mails to confidential documents.  With increased reliance on cloud services like Office 365, data is no longer locked behind the walls of your organization. Today’s organizations and the nature of connecting users, business partners, and suppliers generate a tremendous amount of data.  How can you ensure that important data is protected, without needing to protect everything?


What is data classification?

Data classification is the process an organization follows to develop an understanding of its information assets, categorize those assets to safeguard information and comply with its information security policies, laws, regulations, and compliance obligations.  This is done by applying labels to documents either manually or automatically based on predefined policies.

A typical data classification policy might define information at four levels:

  • Restricted: Data that is considered most critical to the organization. Disclosure of this data could violate or have severe regulatory impact.
  • Confidential: Highly sensitive corporate and customer data that if disclosed could put your organization at financial risk, loss of customer, or disruption of operations.
  • Official Use: Internal data that is not meant for public disclosure. If the data is compromised, would have minimal impact but does not impact profitability or continuing operations of the business.
  • Public: Data that requires no special protection and may be freely disclosed with the public.

Benefits of classifying your data

The sensitivity of data varies significantly from public information to highly confidential trade secrets.  To ensure proper protection, organizations need to identify and classify data, while defining standards and policies to properly handle each type of data.

Consistent use of data classification will facilitate more efficient business activities, and lower the costs of ensuring adequate information security.  By classifying data, your organization can prepare to identify the risk and impact of an incident based upon what type of data is involved.

Compliance – Classifying data, adding labels, and enforcing policies helps your organization meet legal compliance and regulatory requirements.

Usage Rights – By understanding the sensitivity of the data, you can begin to understand who should or shouldn’t have access to it both inside and outside of your organization.

Awareness – data classification helps to ensure employees are more aware of the type of information they are dealing with and its value, as well as their obligations in protecting it to prevent data loss or compromise intellectual property.

End User Empowerment – Data classification brings security to the front of your organization by empowering its users. Many data leaks could be avoided if a data classification solution is in place. Adding visual labels to headers and footers helps to raise end user awareness and assist them in becoming more security focused and avoid sharing sensitive content on USB drives, via e-mail, or could services like Box or Dropbox.

Getting Started

Getting started with data classification requires understanding your organization’s data compliance and security needs. When you are ready to start classifying your data, keep these in mind:

  • Keep the process of classifying data simple for both users and the data custodians
  • Don’t try to classify everything immediately
  • Work with data owners to focus first on the most business-critical, highly sensitive, critical assets and systems

Securing data is a growing challenge, but incremental steps are keys to an organized and classified data model.  Data classification provides a clear picture of the data within your organization’s control and an understanding of where data is stored, how it’s most easily accessed, and how data is best protected from potential security risks.

In this post, I covered the foundation of data classification.  In my next post, I’ll focus on classifying data in Office 365.