Windows Information Protection (WIP)

According to the study “On the Pulse” by Stroz Friedberg, around 87% percent of senior managers have admitted to sending corporate data to personal cloud storage and email, and as noted in an article by HPIAA Secure Now, around 58% percent of employees have accidentally sent information to the wrong person.

As the usage of employee owned devices are increasing in an organization, the chance of data leaks is highly possible. For example, an employee copies the business data and posts it to public apps, like Twitter, Facebook, etc. or saves it to their public cloud storage apps, such as, Dropbox or Google drive, intentionally or accidentally.

In the marketplace, there are third party solutions like MDM (Mobile Device Management) that can be set up to control and manage the enterprise data leak. But, it’s expensive and requires users to switch to protection mode or different UI when the user works with enterprise data. Moreover, it causes inconveniences for users and IT admins. That’s where WIP comes into the picture – WIP provides a smooth user experience without having to use other applications or switch to another mode while working with business data. So, let’s talk about WIP.

What is WIP?

WIP (Windows Information Protection), previously known as Enterprise Data Protection, is an inbuilt feature for enterprise data protection that comes with Windows 10 Anniversary update. Everyone knows how to copy enterprise data and paste it to social media apps or store on the personal cloud.

WIP provides a functionality necessary to identify personal and business information, determine which apps have access to it, and provide the basic controls necessary to determine what users can do with the business data (e.g. Copy and Paste restrictions).

Features of WIP

We can segregate the personal and corporate data, without requiring employees to switch to special modes or applications.

WIP lets administrators enable copy and paste protection, provision policies, and wipes corporate data without removing the personal data when an employee leaves a company.

WIP provides an additional data protection for existing line-of-business apps without a need to update the apps.

WIP provides integration with your existing management system (Microsoft Intune, System Center Configuration Manager, or your current MDM system) to configure, deploy, and manage WIP for your company.

How WIP works?

Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.

Your WIP policy includes a list of trusted apps that can access and process corporate data. This list of apps is implemented through the AppLocker functionality, controlling what apps can run and lets the Windows operating system know that the apps can edit corporate data. Apps included on this list do not have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant access or not.

There are only 11 applications that are considered WIP “Enlightened Apps” (see list below). All other apps will force encryption on all data saved, which cannot be shared externally unless the user manually removes the encryption and re-encrypts with AIP (Advance Information Protection).

  • Microsoft Edge
  • Internet Explorer 11
  • Microsoft People
  • Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
  • Microsoft Photos
  • Groove Music
  • Notepad
  • Microsoft Paint
  • Microsoft Movies & TV
  • Microsoft Messaging
  • Microsoft Remote Desktop

References:

https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/introducing-windows-information-protection/

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wip

https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/limitations-with-wip