What is Windows Information Protection
In principle, WIP can be described as MAM (Mobile Application Management) for Windows 10 - IT administrators have been used to manage iOS and Android devices for a number of years and determine which installed applications have access to company data (email, calendar, documents, etc.). Windows 10 offers similar functionality with pretty good integration into the operating system, which recognizes, based on the set rules, which data is corporate and which is not, and then allows or denys access to applications. In the case of desktops, the use of technology is more complex than on mobile devices - rather than controlling access to cloud services, it is primarily controlling access to files saved on network storages. Additionaly, WIP encrypts files copied from these network drives to client computers. The result of using WIP is that communication with network storages is limited to authorized applications, the copied data is immediately secured on the client computers, and only authorized applications have access to them again. In addition, Windows ensures that local data exchange (= Ctrl+C and Ctrl+V) is protected between applications, and that data from copied over from network storages cannot be copied elsewhere (for example, stored on a USB stick, uploaded to the cloud, etc.)
It is appropriate to mention that security through WIP is not bulletproof. A skilful user can bypass it, but I dare say that for most users it is an insurmountable obstacle. Microsoft is aware of the weaknesses, Windows Information Protection is therefore cleverly promoted as a technology which prevents accidental leakage of corporate data, not as a technology that would aim to prevent targeted data theft.
How Windows Information Protection works
The fundamental fact to understand the principle of how WIP works is the fact that protection is applied on end devices (=on Windows 10 computers). Therefore, the data is not encrypted on servers or network storage. All access control and encryption are controlled by the end client computer - so it follows from the logic that it must be set up and functioning properly. Therefore, other devices connected to the network (whether with older versions of Windows or other operating systems) are not controlled by the protection and the data is not encrypted. From a security perspective, it is clear that the weakest link in Windows Information Protection is the fact that you have to rely on the functionality of the protection on the end computer.
A properly set up device with Windows 10 and Windows Information Protection behaves so that it internally monitors all network traffic. If it is communicating with a corporate destination (network storage, Exchange server, SharePoint, etc.), it will only allow communication to applications that are approved. If the application is not approved, the communication is completely blocked (unless set otherwise). In the same way, the device also controls access to locally stored files that come from corporate sources - access is only allowed to authorized applications.
Specific applications behave differently depending on whether they are able to work internally with WIP or not:
If the application internally implements the necessary API, it is the so-called Enlightened application (basically only Microsoft applications, in practice it is mainly the Office package) - such application can detect whether it accessing a corporate resource or personal, and sets protection accordingly. For example, let's imagine Microsoft Word in which a user can be logged on to both a corporate and a personal OneDrive account at the same time. Company account data will be encrypted when saved, personal data will not. He will be able to copy text from a personal file to a work file, but not vice versa. Personal files can be saved to a USB drive, but not work files. It sounds good, unfortunately the list of Enlightened applications that behave like this is quite short (you can find it at https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip).
If the application does not support the required API (= basically everything that is commonly used in offices except Microsoft Office), then we have two options to allow access to company data:
Allow access and encrypt everything that the application writes locally
If you allow an application to access your company data in this way, all locally written files will be automatically encrypted. For example, we designate Adobe Reader as an allowed application, create a PDF in it, save it locally, and it will be automatically encrypted. The application cannot recognize business or personal storage, it encrypts everything and the data copied from it is always marked as corporate.
Grant an exception and do not encrypt anything that the application writes locally
Otherwise, we can grant the application a security exception. While it will have access to networked corporate resources and corporate files, it will not encrypt anything locally. It will be able to bypass the protection and all data copied from it will be marked as personal.
Why would we want to use the second option? Because if the application automatically encrypts everything, it means really everything, including all the internal files created in Program Files and other places. This can cause problems, for example, if multiple exe files belong to the application and we do not allow access to all of them, we will forbid access to important own files of the application, which for this reason may not work correctly.
When to use Windows Information Protection
In general, it is advisable to use WIP wherever it is not possible to explicitly encrypt all data directly on network storage. Typically, this is the case for normal office use where some data is sent by e-mail and must be accessed by external users, external systems, etc. Encrypting all files would therefore be undesirable and would make daily work more difficult. Windows Information Protection allows us to apply at least some data protection by encrypting data stored locally on client computers. At the same time, only applications we allow will be allowewd to use them. In practice, the file downloaded from a network storage will not be allowed to be copied to a USB thumb drive, but will be allowed to be sent from Outlook to business partners and they will be able to open it without any problems.
A useful feature is also the control of copying from company documents via Ctrl + C and Ctrl + V. This alone can be an important feature for many companies, which on its own is worth deploying Windows Information Protection.
Windows Information Protection does not require the device to be fully enrolled for management, it only needs to be registered with Azure AD. It is therefore a suitable technology for data protection on BYOD devices.
Another advantage is that the technology somewhat substitutes the old well-known Applocker (WIP is to some extent bulit on top of it), so we can quite well use WIP to manage the software used on computers, if the devices are managed with Intune.
On the contrary, it is not recommended to use Windows Information Protection for critically sensitive data - this is where Azure Information Protection (formerly Rights Management Services) has its place, where the data is encrypted right where it is stored.
Windows Information Protection is a feature that prevents unwanted transfer of corporate data outside corporate network storage and managed devices. It also encrypts company data that is stored locally on client computers and controls which applications are allowed to access it. Windows Information Protection is not bullet-proof, but is useful as additional security where we cannot encrypt all data on network drives or servers. In the next article, we will look at how to set up Windows Information Protection and discuss real-world experience, including problems that we may encounter.