IBM Security MaaS360

 View Only

Secure Enterprise Data through IBM MaaS360 Windows Information Protection

By Bharath Kumar Nallagatla posted Tue April 19, 2022 09:00 AM

  

Co-authored by @Deepti Swain

We are going through unprecedented times when most of the workforce is remote and work is done from home, with increasing number of employees bringing their own personal devices in-use for office work.
It enhances the risk for accidentally leaking sensitive data through social media or public cloud, e.g. an employee sharing  documents or images on his social media account or uploading work document to google drive or other public cloud.

Effective, safe and secure data sharing mechanisms are a necessity in an organization. Admins can put access control over data, but that is not enough. Just because only authorized persons have access to data, does not ensure that it can’t leave the enterprise boundary. It does not restrict from sending the document or data to their personal email account or sharing it via other channels

Stricter access control and data loss prevention systems interfere with employee productivity and their work experience. Windows Information Protection (WIP) feature protects enterprise data without compromising employee experience and productivity.

WIP provides :

  • Clear separation between personal and corporate data, without requiring employees to sign in to different users or use specific apps.
  • Content created on enterprise protected device can be chosen to be saved as work document or personal document.
  • Data protection for existing apps without upgrading the apps, just by configuring WIP policy.
  • Ability to wipe corporate data from MDM enrolled device without touching personal data.
  • Enterprise data is encrypted as soon as it’s downloaded from enterprise web location or network share or SharePoint or if the employee marks data as corporate.
  • Flexibility to decide your level of data access. You can block or allow override or just audit user actions.
  • Controls which apps can access enterprise data by adding apps to protected apps list. Data copying will be allowed only among protected apps if WIP management is set to Block
  • Helps prevent accidental data sharing to non protected cloud storages.
  • Help prevent accidental data disclosure on USB. Enterprise data on USB remains encrypted while personal data stays unencrypted.
  • Windows information Protection is supported from Windows 10 onwards - Professional, Education, and Enterprise editions.

Let us explore how we can configure WIP through IBM MaaS360 portal

Admin needs to create the Windows MDM policy. Follow the steps below:

- Access Security → Policies section. - Edit the policy and navigate to the Enterprise Settings → Windows Information Protection- Enable Enforce Windows Information Protection.
- Now, Enforcement Settings will be visible, and further configuration can be done.

 
Let us go through each setting in detail and discuss the configuration and respective behavior on Windows devices:

Enforcement Settings

  • Enforcement Level

This setting will provide three enforcement options for the admin to apply on the device:

  • Block mode (encrypt, block, and audit):

    In this setting, WIP policy will not allow users to share the data from enterprise protected apps to non-enterprise protected apps and any inappropriate data sharing practices such as sharing enterprise data outside of organization’s network or between apps. If user attempts to copy the protected file to non-protected application, then below pop-up will be shown with the message: Your organization doesn't allow you to use work content with this application

  • Override mode (encrypt, prompt, and audit):

    In this setting, WIP policy will provide a warning message if user attempts inappropriate data sharing from enterprise protected apps to non-enterprise protected apps which is potentially unsafe. This setting will allow the user to override the policy and share the protected data and logs the action to the audit log. Pop-up will be shown as below:

  • Silent mode (encrypt and audit only)

    In this setting, WIP policy will allow users to share the data from the enterprise protected apps to non-enterprise protected apps by logging inappropriate data sharing to the audit log silently, without any prompt as observed in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.

Let’s see how WIP prevents inadvertent data copy through a small video.

 

  • Show Icon Overlays Over Protected Data
    When this setting is enabled, the briefcase type of icon overlays in the title bar for files and apps that are protected. The overlay icon will be displayed on all protected files and protected apps, and if user clicks on the overlay icon, message will be displayed as : App managed by Enterprise Primary Domain name

  • Revoke Protected Data On Unenrollment

    This setting will control whether to revoke the encryption keys when device is removed from MDM control. On enabling this setting, encryption keys are revoked, and the user will not have access to protected data when MDM control is removed from the device.

Let’s see how this setting can ease IT Admin worries about corporate data on BYOD device through a small video.


  • Data Recovery Certificate

    This setting specifies a recovery certificate which will be used for the data recovery of encrypted files. This is like the data recovery agent (DRA) certificate for encrypting file system (EFS).

    How to generate this certificate in base 64 encoded blob format?
    1) Launch the command prompt and execute the command:
                     cipher /r:<cert_name>

    Provide a certificate name. The command prompt will ask you to enter the password. Once the password is entered and confirmed .CER and .PFX files will be generated with the certificate name provided above in C:\Windows\System32 folder.

    2) Execute next command:

    cipher /p:<cert_name>.cer

    where <cert_name> needs to be replaced with certificate name used previously in the first step.

    /p command will create a base64-encoded recovery-policy blob from the passed-in
    certificate. This blob should be used as Data Recovery certificate.
     
    The steps are referenced in the image below:


    Enterprise Protected Apps

    In this section, the Admin can configure apps that need to be protected by WIP.
                                  

    • Configure Protected Universal Apps (Allowlist):

    Admin can specify the app name, publisher name, app version (minimum), and app version (maximum) for the universal apps that needs to be protected.

    For example, following configuration can be provided to protect calculator application

    App name: MICROSOFT.WINDOWSCALCULATOR

    Publisher Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

    and CALCULATOR application will be protected as shown below:

    To fetch the App Name and Publisher Name, below links can be referred:

    Get Microsoft apps details

    Get App details using IBM MaaS360 Tool

     How to configure Office 365 as protected app?

    Office 365 applications can be protected by providing:

    App name: *

    Publisher Name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

    Once O365 apps are protected, the briefcase symbol is visible in the info section, if the file is saved in protected mode, as shown below:

    • Configure protected universal apps (Blocklist):

      In this section, we can configure universal apps that are not required to be protected by WIP. Admin can provide details (the app name, publisher name, app version (minimum), and app version (maximum)) of universal apps that are not required to be protected by WIP.

      For example, if admin wants to protect all MS Apps except Sticky Notes. He can protect all MS apps using allowlist section

      App name: *

      Publisher name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
      Then, he can configure Sticky Notes in blocklist section.

      App name: Microsoft.MicrosoftStickyNotes

      Publisher name: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

      With this configuration all MS apps will be protected except the Sticky Notes as shown below:

      • Configure Protected Desktop Apps (Allowlist)

      This section configures desktop apps that are allowed and protected by WIP. Admin can specify the app name, publisher name, app version (minimum), and app version (maximum) for the desktop apps that needs to be protected.

      • Configure Protected Desktop Apps (Blocklist)

      This section configures any desktop Application needs to be blocklisted/ not protected by WIP. Admin can specify the app name, publisher name, app version (minimum), and app version (maximum) for the desktop apps that needs to be protected.

      Once WIP policy is assigned on the device then the protected apps will be indicated as Managed as shown below:



      File Ownership is indicated in the Windows Explorer windows of protected Applications as below:


      Briefcase icon is shown on the top right corner of the protected Application as shown below:



      In this blog post, we learnt:  

      • What are the capabilities of the Windows Information Protection feature and how it can be configured through IBM MaaS360
      • What are the various enforcement settings and their configuration on IBM MaaS360 portal
      • How to reate data recovery certificates
      • How to protect enterprise apps
      • How to configure O365 as protected apps

       

      In the coming blog(Secure Enterprise Data through IBM MaaS360 Windows Information Protection – Part 2), we will explore how we can leverage Windows Information Protection policy to protect data hosted on an enterprise network. We will also explore the difference between Enlightened and Unenlightened apps.

​​
0 comments
33 views

Permalink