You are wondering if DLP supports co-authoring with MIP?
search cancel

You are wondering if DLP supports co-authoring with MIP?

book

Article ID: 254632

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Microsoft has a feature for Office documents, called “co-authoring” (not enabled by default).

When it is enabled, and a document is open for co-authoring, you are wondering if DLP can still detect labelled content?

 

Environment

Data Loss Prevention where MIP inspection is enabled

Cause

Enabling co-authoring changes how labels are stored for Microsoft Office documents.

This is documented in their article on the topic, Enable co-authoring for encrypted documents - Microsoft Purview (compliance) | Microsoft Learn:

Important

After you enable the setting for co-authoring, labeling information for unencrypted files is no longer saved in custom properties.

Do not enable this setting if you use any apps, services, scripts, or tools that reads or writes labeling metadata to the old location.

Resolution

If co-authoring is enabled while running DLP versions prior to 16.0 MP1, DLP is not able to read MIP labels, however, decryption of MIP documents for content inspection still occurs. A fix for this issue has been released in DLP 16.0 MP1 so DLP is now able to read MIP labels. Refer to Multiple-Component Fixed issues in 16.0 MP1.

 

Issue ID Description Component
CRE-12029 Added support for co-authored Microsoft Information Protection labels to the OfficeOpenXml Content Extraction plug-in.
  • Endpoint
  • Detection

Additional Information

Question: If we moved ahead with Microsoft MIP labelling and co-authoring on DLP versions prior to 16.0 MP1, how would this impact our current Symantec DLP operations with respect to visibility into policy violations and known sensitive documents?

Co-authoring impacts DLP versions prior to 16.0 MP1 ability to read labels, however, DLP is still able to decrypt and match content to policy violations. Inability to read labels results in missed detection only for policy conditions that are looking for MIP labels. All other policies that are triggering based on CONTENT (Keywords, Patterns, EDM/IDM, etc.) are NOT affected. Enabling co-authoring is not known to create any additional issues. All current DLP policies would continue to work as they do today.  If you change or create new DLP policies that specifically require the presence of a MIP label as a condition, then it would be impacted and you could have missed detections.