How to prevent data loss with Windows Information Protection

Looking for a solution to keep company data out of the wrong hands? Windows 10's WIP might be the best option. Here's how WIP works.

data protection
Peter Sayer

Information that belongs to someone and has the potential to be very impactful to that person or organization needs to be protected in this day and age. Finding that information in the wrong hands can have severe negative implications and consequences. You need look no further than recent headlines to see the devastating consequences that information leakage can have, from Edward Snowden and the NSA to John Podesta and the Democratic National Committee.

Shops that primarily use Windows on the client side have a ready-made answer: Windows Information Protection (WIP) is a data loss prevention technology that looks for information classified as impactful to a business as well as for keywords that indicate sensitive information is potentially being passed outside the corporate security boundary. It then creates a plan to stop or mitigate that leakage.

Consider WIP for the following scenarios:

  • You need to protect work-related information on both company- and employee-owned devices, such as their smartphone or tablet allowed to connect to your resources through a “bring your own device” (BYOD) program.
  • You use business applications that do not have data loss protection capabilities built-in and need an extra layer or two of leak protection.
  • You need a protection scheme that integrates with System Center or Microsoft’s Intune cloud-based device management platform. 

I’ll walk you through what WIP is and how to get started. One huge caveat: This is a Windows 10 technology. To bake WIP into your organization fully, you’ll need to complete your inevitable migration off Windows 7 and Windows 9.1.

How Windows Information Protection works

WIP starts working when new documents, spreadsheets, or other files are created on a protected device. Employees can be presented with a choice to save that file as a “work document,” enabling all the protections that come with WIP. That work document is considered enterprise data, even if it is stored local to the protected device or added to removable media like an SD card or a USB stick. All work files stored on the device or on removable media are encrypted at rest.

That protection is not limited to new content. When an employee visits a network share on a protected device or downloads content from a SharePoint document library or a corporate intranet set, WIP locks that data down via encryption and enforces policies on it. WIP also puts up fences around data accessed via applications on a protected device. Administrators can bless certain apps and allow them to work with “work data” and have that data copied and pasted between blessed applications. On the flip side, applications can also be blocked, so that protected work data cannot be moved into blocked applications (think Gmail, Secret, or anything else) on a device with WIP enforced.

By default, these app restrictions are enforced like a whitelist, with everything blocked and individual apps needing to be manually—read intentionally—added to the whitelist to be granted access to work data. Some applications, particularly Microsoft Office, are aware of WIP and can protect data even when employees copy data from a protected file, paste it into a new document, and attempt to save it as a new document. WIP will notice this and automatically encrypt the new file. Apps that understand WIP are known as “enlightened apps,” and in Windows 10 app developers can choose to create WIP-aware apps that inherit this functionality automatically without additional code.

To continue reading this article register now

22 cybersecurity myths organizations need to stop believing in 2022