2021 POST-Gnostication Pt. 1 - Sensitivity Labels

The year is winding down, and what a year it’s been. Like most, we started out hopeful to be back in person—not just in the office, but out in the world. I’ve missed traveling a lot more than I’d ever anticipated, and even after getting a 10x improvement in my rural internet speeds, it turns out virtual meetings just don’t cut it for me. But as we’ve said before: hybrid work is here to stay, and technology and business processes must adapt to the new normal.
So as we close the books on 2021, I thought it might be fun to look back on the early optimism of our Security Prognostication blog and webinar and follow up with a POST-gnostication. What did we get right, what did we get wrong, and what did we just flat out miss? Because this year threw some major tech curve-balls. 

First, a review of the major technologies we thought would cut through the noise and drive improvements to most organizations’ security posture: 

  1. Endpoint Detection & Response 
  3. Remote Provisioning 
  4. Endpoint DLP 
We definitely continued to see investments in sensitivity labeling, though not in the ways I had anticipated. I thought that having more users access corporate data from home would force security shops to immediately pivot to protecting data: 
Quarantine is a big part of the timing. Folks are taking corporate data home and accessing our secrets in ways we never envisioned. Relying on VPN and email security isn’t useful once the data has been copied off the corporate network. With Azure Information Protection, we can establish persistent protections on files, provide simple sensitivity labels for users to classify documents, enable auto classification with no additional licensing requirements, and now even apply sensitivity to whole Teams channels and SharePoint libraries. 
Part of my excitement at the time was the ability to protect content in Teams and SharePoint libraries, a functionality that would allow admins to enforce labels in much the same way as traditional folder permissions. It’s really a huge improvement in reducing complexity for users, but it comes with a couple of challenges that I think are still left to solve, like eliminating the need to ingest labels into Azure AD thru PowerShell, which is still a no-go for many an admin (see our years-old debate on administration-by-CLI). And the technology continued to evolve throughout the year, with once-fantastical real-time co-authoring coming to encrypted documents, removing one of the main blockers. 
But where I’d expected a pipe-burst of adoption, what I got was more of a gradual opening of the tap. The water is flowing, but in a more controlled way. And that’s probably a good thing, because it forced me to rethink my pre-conceived notions of how best to deploy it. 
As a life-long blue-team player, I had always been firmly in the “rip off the bandage” camp, but with users trying to learn new business processes while also working around kids and pets and the general messiness of life, I came to accept that a more gradual “crawl, walk, run” approach to data protection and management might—just maybe—be the right approach. 
Make no mistake: persistent, revokable protections that travel with the data and offer usage insights for admins are a critical component to a well-considered security posture. “Protect / detect / respond” isn’t super meaningful if there’s no mechanism for protection or response. 
Add “Identify” and “Recover”, and Information Protection becomes even more meaningful with identification and auto-labeling capabilities for existing content. That identification component becomes a critical element in the “crawl walk run” approach as organizations first try to discern what they even have that needs protection. 
But fascinatingly this seems to be the biggest blocker to adoption: “we don’t know what we don’t know”. Data could be anywhere, taking any shape, with or without proper metadata, with or without proper permissions. Well ok, that’s true, but you also won’t find out without doing some digging. And while you’re trying to decide whether or not the digging is worth the effort, the bad guys are busy doing the exact same thing. 
Prediction rating: 6 / 10