Microsoft 365

10 December 2021

Classify and protect sensitive data: focus on MIP

Classification with MIP

Data security issues, with rising data volumes and attacks, are becoming increasingly significant. The expansion of collaborative tools and their widespread adoption offers the possibility for users to manage their data and the risks associated to it.(1)

How to secure a large volume of data, how to quickly identify the most sensitive data to protect?

It is difficult for the security teams to apply a single data protection policy. Indeed, not all data is equal in terms of criticality for the company. It is therefore important to identify the data by classification in order to determine a level of sensitivity. It will then be possible to protect the most sensitive data. 

Classify and protect - issues reinforced by regulatory obligations (GRPD) 

One of the main risks is the deliberate or involuntary leakage of data. Some information, through mismanagement or in the wrong hands can result in threats to the company's reputation and interests, and even at economical cost. These informations are considered as sensitive for companies. It concerns regulated data (customers), financial status, assets (patents, plans etc...) or strategic decisions.  

To better control the risks, it is advisable to apply a process to discover, classify and protect the data. 

1. Identify sensitive data 

To protect sensitive data, you must first have a good knowledge of the company's data. 
Several questions can be asked to determine them:  

  • What are the different data held by the company?  
  • What is a sensitive data for my company? 
  • Where are those data located?  
  • Who has access today?  
  • What are the impacts in case of a leak?  

By questioning the nature of the data and the issues involved, it will be possible to determine the levels of risk and prioritize the information.  

2. Define classification levels 

It is important to define your own classification levels for all data in the company. When defining them, it will also be necessary to give examples for each level to facilitate understanding of users.  

There is no perfect model; each company, depending on its environment and complexities, will define its own data classification table. However, it is recommended not to exceed 4 levels.  

In general, companies apply 3 levels of classification: confidential, internal, and public. 

3. Classify data according to its level of confidentiality

Organizations can define strategies to classify and then label the most sensitive data.  

Once the classification is defined, it will be necessary to apply it to all the data according to its content. This consists of putting a label on the data with the classification level.  

The use of this label will help to classify the data into different categories according to established criteria. Associated with the data search, the labels applied to the files will allow the creation of an identification process for the resources and the establishment of the most appropriate protection strategy.  

The labelling of information can be done on different types of data such as files, images, folders or even the most sensitive emails.  

There are several ways to tag information:  

  • Manually by involving the user  
  • Automatically through strategies or software 

4. Protect data  

  • Through encryption 

From a level of classification, it is possible to choose an encryption. 

Encryption provides an additional security to prevent someone from accessing the content of the document. 

A company can decide that, for a given classification level, either automatically or by a user, encryption will be established on the information.  

Like the labelling of information, encryption can also be added thanks to solutions that scan documents. These solutions look for patterns and automatically apply labels, restrictions and/or encryption.  

  • Through access restriction 

Depending on the level of classification, restrictions on rights and accesses can be proposed. For example, it is possible to prohibit transfers, copies, printing and to restrict access to specific people. 

5. Monitor and track labelled data  

You need to be able to track activity on classified data and review access as necessary.  

Administrators can use reports to monitor and control this data. They will, for example, be able to:  

  • Monitor tagged documents or emails 
  • Identify who has accessed a document with a certain classification level 
  • Easily identify documents with the most sensitive information and with a risk for the company 

It is possible to analyse the different labelled contents and understand if they have the right label and the right level of protection. 


Dashboard de Monitoring Microsoft AIP


The MIP solution to protect sensitive data 

Today, many companies use Microsoft 365 solutions and need to secure shares in these collaborative tools.  

Through its Azure Cloud platform, Microsoft offers a wide range of protection tools that integrate with Microsoft 365 and Windows services. To classify and protect sensitive data, Microsoft has developed a solution named MIP. 

1. Overview of MIP Solution 

MIP is the abbreviation of Microsoft Information Protection, formerly known as AIP (Azure Information Protection. 

NB. Microsoft Information Protection is not a tool but rather an environment with associated applications and functionalities. 

More specifically, Microsoft Information Protection focuses on identifying and protecting sensitive data. It supports many types of content: emails, Office or PDF files and images for example. MIP applies to files stored on on-premises file servers and on cloud platforms, such as SharePoint, OneDrive, and Microsoft Teams. 

The solution is included in the E3 and E5 licenses of Microsoft 365 and is offered in Premium versions for additional functionality. In the premium versions, the main functionality is the MIP scanner. It allows to identify and encrypt automatically sensitive data to follow and control the access to documents. 

Les fonctionnalités d'Azure Information Protection

2. Classification and labelling of sensitive data with MIP

MIP allows to define a classification and to label documents and emails but for that it is first necessary to identify the sensitive data. 

This identification can be done in two ways: manually or automatically, depending on the chosen solution (basic or premium).  

For the manual part, the identification and labelling is done by the users. They will then have the choice to add the label that corresponds to the sensitivity level of the document, with the effect of inserting a visual marker on the resource and a label in its metadata.  

Some organizations, to encourage users to label their documents, apply a default label, visible to the user. The user will be able to change it if necessary. 

Processus d'étiquetage avec Azure information protection

On the contrary, the MIP scanner allows to detect and classify automatically all the data in the environment. The scanner will analyse the information contained in the documents and look at their level of conformity according to the established models and rules. Following this analysis, it will be able to tell if the document should be labelled and on what level: for example, Confidential, Highly Confidential.  

However, the scanner is a paid service included with certain licenses with additional costs an require a prerequisite: the file must be indexed by Windows. This scanner can be a source of errors and requires precise settings. 

3. Data encryption with Azure RMS 

Microsoft Information Protection has identified sensitive data manually or automatically and uses Azure Rights Management (Azure RMS) encryption to protect them.  

From the moment a data is tagged, it applies security policies by establishing relationships between rules and the chosen classification tags. 

Azure RMS will use advanced encryption to establish identification and authorization policies to protect data. This tool encrypt data at the application level that hosts it. The file will therefore carry the encryption and only authorized people will have access to it. As the encryption is done in the document header, the document will always be protected even if it is shared with someone outside the organization. 

Support employees in the protection of their sensitive data 

33% of security incidents encountered by companies are linked to a negligence or configuration error by an administrator or an employee. (1)

Still often considered as a weak link, the user plays an essential role in data protection. It is important to support them in their use. The responsibility and the protection of information go through an adoption phase on the reflexes to have around the data and a good knowledge of the tools. 

1. Assign the right levels of confidentiality on documents 

Employees must be sensitive to the security levels of the data, they handle in order to be able to protect the information. They must therefore recognize sensitive information, emails, and documents.  

It can be interesting to define an exhaustive list of data considered as sensitive and the classifications that must be applied. Employees will have a clearer vision and will be able to protect their data more easily. 

MIP can propose native levels facilitating the classification by the user. 

After identification, employee must ensure that the document has the necessary protections against inappropriate access. 

2. Give limited access right 

It is important to give access rights to data only to those who need them (principle of least privilege). Once the information has been identified as sensitive, it is necessary to designate who can access it and with what rights. 

Depending on the level of classification given in MIP, the user may be required to designate who is authorized to access the information. 

3. Regularly check rights and accesses

Like on OneDrive or Microsoft Teams, it is important to verify rights. A collaboration may have ended, or a collaborator may have changed position, so he or she will no longer be entitled to receive certain information. The sharing is then considered obsolete.  

In MIP, it will be required to regularly check the rights granted on documents and to remove some rights/accesses if necessary. This review of rights and accesses can be initiated according to the progress of the document, for example at the end of each validation, by month or by quarter. 

Classification and labelling to secure sensitive data  

Classification and labelling are the foundation of a data protection strategy. Whether from a compliance, governance, or security perspective, they will enable organizations to effectively protect their most sensitive data.  

IT/security teams need to oversee the proper labelling of documents, any encryption needs and data access restrictions. They will need to accompany the user to establish effective protection. 

The deployment of protection tools like MIP will help companies in these protection steps. AIP currently offers two licenses: basic and premium. The second premium will have a higher cost and additional features (scanner).  

Some companies have made the choice to find alternative solutions to monitor MIP classified data on Microsoft 365. 

IDECSI, a complete and efficient protection of your sensitive data, with the integration of MIP classifications 

Allowing each owner of sensitive data to identify his or her tagged data and the rights, delegations, and accesses, is an essential element in the data protection. 

IDECSI has recently enriched its Data Security platform to allow each user to easily control the MIP tagged sensitive resources. The platform is supported by a powerful search tool. Administrators and users gain visibility, detect, and remediate risks quickly.  

Combined with its user platform, IDECSI involves employees and gives them a global view of their data and their different applications. This simplifies the verification of rights, access and sharing.

(1) CESIN “Barometer of company cyber-security” – 2021

Our articles

These articles may
interest you

Classification with MIP
Microsoft 365

Classify and protect sensitive data: focus on MIP

Lire l'article
Best practices on Microsoft 365
Microsoft 365
Expert Advice

Best practices to improve security on Microsoft 365

Lire l'article
microsoft teams data protection
Microsoft 365

Microsoft Teams: 5 key points to improve data protection

Lire l'article
Data protection, let's discuss your project?
Contact us