So, Microsoft announced Windows Information Protection (WIP) is going bye-bye. Apparently, they only envisioned it as a stop-gap solution. It’s been with us quite some years already, though, and I know quite a few companies that use it as an easy-to-implement, cost-effective solution to protect corporate data (for instance on BYOD).
In these announcements we’re told that we should all move to Purview. Remember trying to make sense of Purview Kirby (still not trademarked)? It’s so easy to get lost in this huge product offering.
They recommend a combo of Purview’s Information Protection and Data Loss Prevention capabilities, in particular. But do they stack up? Don’t get me wrong, I already know they bring much more functionality to the table then WIP ever did, but are they comparable when we factor in cost and ease-of-use?
TL;DR service – just skip to the conclusion here!
Hmm… so this WIP thing kind of competes with Purview here. I wonder if that had anything to do with sunsetting it 😊.
In this post I’m going to explore these questions a bit. I’m going to limit myself to the functionality WIP for this basic comparison and ignore the additional stuff Purview delivers.
Data classification; can’t put a label on it
Before anything, you will need to distinguish between data that should be protected and stuff that can be left alone.
WIP determines this by the data’s origin. It considers things like which app created it or which network resource delivered it and applies its policy to it. Anything that matches the policy will automatically be marked ‘corporate’, everything else is marked ‘personal’.
Purview, on the other hand, sends in its Information Protection capabilities. It’s where Sensitivity Labels live. These offer a much more fine-grained approach to data classification (and can be used for other capabilities as well).
You may remember Sensitivity Labels from Azure Rights Management (Azure RMS) which can be used in combination with WIP. Azure RMS was one of the things that Purview Kirby inhaled.
The problem here is that Purview will not let you automate the process. Well, not unless you upgrade to E5/A5 licensing. Not even the simplest form of automation (which would be policy-based labeling) is included in E3/A3 licenses. If you decide to upgrade to E5/A5, you immediately get the whole she-bang. Not only can you use labeling policies, you also get some pretty advanced automation options (like trainable classifiers) on top them.
Data protection; not copy/pasted
WIP enforces a complete separation between data on the ‘corporate’ and ‘personal’ side. Any data marked ‘corporate’ will be encrypted and can only be used when WIP’s in-house border patrol says so. Anything that wishes to cross over to the ‘personal’ side, has to pass the customs office. These are effective border guards, too: they can even detect the sneakier methods, like copy-pasting.
Unfortunately, WIP doesn’t allow you to specify what methods should be allowed. There are no levels in protection, it’s one-size-fits-all. That makes it a rigid, but also easy-to-implement solution. That’s either a pro or a con, depending on your needs.
The biggest drawback here is that once a piece of data is allowed to cross, WIP denies all accountability. Protection is simply removed and that’s the end of it. The data is now considered ‘personal’ and can then live out the rest of its lifecycle in freedom.
Also, this all-or-nothing approach for ‘unenlightened’ apps is annoying. I understand the technical reasons why it is the way it is, but still… it’s annoying.
Purview handles this with its Data Loss Prevention (DLP) capabilities. I won’t get into the technical details in this post, but it prevents stuff from being leaked to other places.
Opposite to WIP however, DLP’s standard offering only operates in Exchange Online, SharePoint Online and OneDrive for Business, protecting data at that level. Data on endpoints isn’t part of its scope.
Well, unless… you upgrade. Apparently, Microsoft regards protecting data on the endpoint a premium feature.
Once again, you need E5/A5 licensing to get these capabilities. And you will need them, for sure. You see, Endpoint DLP is what protects your data on the endpoint and controls activities like uploading stuff to (unsanctioned) cloud services and… copy/pasting.
Somewhere, someone thought: “nah, this endpoint stuff isn’t a standard use case”.
Also worth noting is that Endpoint DLP relies on Windows Defender’s real-time protection and behavior monitoring. You don’t have to manage them with Defender for Endpoint (MDE), but they must be enabled on the endpoint.
I must admit that I’m not sure if running these in passive mode will suffice. If not, this may be an issue for those using third-party AV-solutions.
Ptewey! You all run MDE, don’t you? 😊
Additionally, auditing
By default, WIP doesn’t offer any (centralized) auditing of activities on protected data. That is easily fixed by implementing some Log Analytics, though.
Oktay Sari wrote a good post on that matter, so I’ll skip the deep dive.
Purview, on the other hand, comes with all kinds of integrated auditing. Even without additional licensing, would you believe it?😊
But does it BYOD?
WIP has been marketed as a good solution for BYOD in it “without enrollment” form. It doesn’t require MDM-enrollment or Azure AD join (AADJ). I’ve seen some confusion about Purview’s capabilities in this regard. Let’s take a look.
Purview (Endpoint) DLP doesn’t require any MDM-enrollment or AADJ, either. Okay, sounds good.
There’s a catch however: it does require onboarding the endpoint. Although it’s a simple process, it’s a lot easier if you have some sort of remote management in place.
If you’re already using Defender for Endpoint (MDE): it’s the same process. Yes, to the letter. An endpoint onboarded to MDE is also onboarded to Purview.
In memoriam… eh… conclusion
Let’s just immediately address the elephant in the room: Purview Endpoint Protection and Data Loss Prevention aren’t the simple rip-and-replace alternative Microsoft make them out to be when you factor in cost (and in some cases ease of implementation).
In E3/A3 licensing, Purview simply doesn’t match the capabilities WIP can provide. You will have to upgrade to E5/A5 licensing for that (either the ‘Compliance’ or ‘Information Protection and Governance’ add-ons will suffice). Without this upgrade, you simply can’t protect data on your endpoint. In addition, without at least some kind of policy-based automation, classification will add quite a lot of management workload.
Granted, Purview offers many, many more capabilities than WIP and it isn’t limited to Windows, which is nice. So no, I’m not saying it’s not over-priced. It just offers way more than you’re currently using.
I hope that, when WIP’s sun finally sets, this licensing structure is revised so some of this stuff can be used in E3/A3 licensing.
And for those of us using WIP without enrollment (yes, I’m guilty as well): BYOD is becoming harder and harder to securely implement on desktops/laptops. I hope this finally ends this “I need my unmanaged device” craze.
[…] Bye-bye Windows Information Protection! Now what do we do? […]