Information that belongs to someone and has the potential to be very impactful to that person or organization needs to be protected in this day and age. Finding that information in the wrong hands can have severe negative implications and consequences. You need look no further than recent headlines to see the devastating consequences that information leakage can have, from Edward Snowden and the NSA to John Podesta and the Democratic National Committee.
Shops that primarily use Windows on the client side have a ready-made answer: Windows Information Protection (WIP) is a data loss prevention technology that looks for information classified as impactful to a business as well as for keywords that indicate sensitive information is potentially being passed outside the corporate security boundary. It then creates a plan to stop or mitigate that leakage.
Consider WIP for the following scenarios:
- You need to protect work-related information on both company- and employee-owned devices, such as their smartphone or tablet allowed to connect to your resources through a “bring your own device” (BYOD) program.
- You use business applications that do not have data loss protection capabilities built-in and need an extra layer or two of leak protection.
- You need a protection scheme that integrates with System Center or Microsoft’s Intune cloud-based device management platform.
I’ll walk you through what WIP is and how to get started. One huge caveat: This is a Windows 10 technology. To bake WIP into your organization fully, you’ll need to complete your inevitable migration off Windows 7 and Windows 9.1.
How Windows Information Protection works
WIP starts working when new documents, spreadsheets, or other files are created on a protected device. Employees can be presented with a choice to save that file as a “work document,” enabling all the protections that come with WIP. That work document is considered enterprise data, even if it is stored local to the protected device or added to removable media like an SD card or a USB stick. All work files stored on the device or on removable media are encrypted at rest.
That protection is not limited to new content. When an employee visits a network share on a protected device or downloads content from a SharePoint document library or a corporate intranet set, WIP locks that data down via encryption and enforces policies on it. WIP also puts up fences around data accessed via applications on a protected device. Administrators can bless certain apps and allow them to work with “work data” and have that data copied and pasted between blessed applications. On the flip side, applications can also be blocked, so that protected work data cannot be moved into blocked applications (think Gmail, Secret, or anything else) on a device with WIP enforced.
Sign up for Computerworld eNewsletters.