How Sensitivity Labels Help Agencies Meet Federal Zero Trust Standards

Post Date: 06/08/2022
feature image

Federal agencies work with some of the nation’s most critical information, from scientific research and healthcare data to civilian information and classified defense assets. It has always been your agency’s responsibility to safeguard this information from those with malicious intent; unfortunately, this is not as simple as it used to be. As more organizations use collaboration tools – in fact, a 2021 Gartner survey showed a 44% increase in workers’ use of collaboration tools since 2019 – and more sensitive information is shared digitally, your agency’s security models must adopt new strategies to prevent oversharing and ensure your confidential content is protected from unauthorized access, whether external or internal.

Thorough end-user training and the best precautionary practices aren’t enough – you need automated policies and tools that can ensure your most sensitive information stays secured and protected. As stated in the memo M-22-09, which outlines the Federal government’s new Zero Trust security standards, “Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.”

Microsoft’s sensitivity labels can help you on your path towards implementing this mandate. In this post, we’ll discuss what sensitivity labels are, how they can help you meet the Federal Zero Trust Architecture (ZTA) standards, and how AvePoint can help by enhancing Microsoft’s native security capabilities.

What Are Microsoft Sensitivity Labels?

Collaboration tools like Microsoft 365 make it easy to share and collaborate, but unfortunately, this also makes improper access and accidental oversharing just as simple. That’s where Microsoft’s sensitivity labels come in.

Sensitivity labels help you prevent oversharing and secure your content by allowing you to classify documents based on their sensitivity. The labels not only classify each piece of content but also enforce the protection settings you create around each classification.

For example, you can create a label for “ITAR/Export Control” content and an associated protection setting could automatically encrypt the content, apply content markings, or limit access (such as print, share, or even read) from foreign nationals. Sensitivity labels can also be used for containers, such as tagging a Team as private or public, controlling and limiting guest access, or prohibiting external sharing of Groups or SharePoint sites.

Read the ebook: How to Manage Federal Taxpayer Information in Microsoft Teams

Our partner Bravo Consulting agrees, “While sensitivity labels are, at their core, one of the best methods for securing your data, they can also be used by search engines to make your content more findable, improving searchability, reducing the time to find what you are looking for, and hence, increasing productivity…three birds with a single stone!” commented Eric Schrier, Chief Integrator Officer at Bravo Consulting.

Admins can create and customize categories for labels based on needs (level of confidentiality, department-specific, internal vs external, general, etc). After content is tagged, labels are visible to your end-users and will appear on emails, documents, and other content that you want to control.

One of a label’s most secure capabilities is that they are persistent; they travel with a file wherever it goes. If you tag a file with a sensitivity label that limits access to a certain timeframe or prevents editing or copying and then email this file, the security controls still apply. Labels also transfer to third-party apps, like Salesforce or Dropbox, because they are built into the metadata of content and will label and follow your documents wherever they are shared or stored.

Sensitivity Labels and Zero Trust

As we discussed in previous posts, a Zero Trust framework requires you to “never trust, always verify.” This can be achieved by following the three key principles of Zero Trust Architecture (ZTA): least-privilege access, verify explicitly and assume breach. In other words, to meet ZTA standards, you need to lock down access to your content and ensure permissions are only granted to those that are necessary to have them. Sensitivity labels can help get you there.

what is zero trust

Because they clearly define and enforce who should or should not be able to access your content, sensitivity labels make it easy to prevent oversharing. Once your classifications have associated protection settings and your content has been tagged, there is no additional work on your team. The labels appear as tags, making the content’s sensitivity level visible, and the policies are automatically enforced, protecting your information from oversharing and improper access.

For example, it might be obvious a document with a “ITAR/Export Control” label should not be shared with a foreign national contractor, but sensitivity labels empower you to not leave this up to chance. The policy you create and associate with the label can ensure can share the categorized document with anyone other than those who have been cleared to view it.

Your labels can also help mitigate the risk of a breach by limiting who has permission to do what to your content. For example, even if someone were to download or save a document, the same label will follow it ensuring the same protection setting (whether to limit editing, external sharing, or other safety measures) still applies. If you don’t want someone to copy the content, it will block all copy commands, even the Print Screen command. And because the protection settings you assign to each label are automatic and persistent, you can seamlessly ensure no one can access any information you don’t want them to, no matter where it roams, truly protecting your sensitive data.

Streamline Your Sensitivity Labels Application with AvePoint

If you have not used sensitivity labels previously, implementing them can feel daunting. User studies show that rarely do two individuals, let alone people trained in categorizing data, tag data the same, making this process often feel like climbing Everest. And that’s just to get you started – after content is tagged, you need to monitor and track your labels to ensure all content continues to have the appropriate categorization throughout its lifecycle.

While potentially cumbersome, the benefits of sensitivity labels far outweigh the downsides of setting them up. Fortunately, some tools can streamline the creation and management of your sensitivity labels, seamlessly securing your sensitive information.

AvePoint’s Cloud Governance can be configured to require any user creating a new workspace, such as a new Team, to fill out a questionnaire and provide information about the sensitivity of the data that will be stored and those who will have access to it. As an example, customers have configured these questionnaires with options for known sensitive data types, such as ITAR/Export Control; when selected, Cloud Governance programmatically sets the default label for all content moved to or created within the workspace to match this sensitive information type, thus enabling bulk, persistent classification. Additionally, Cloud governance also sets membership restrictions so if, in the ITAR example, foreign nationals are added as members, they go through an automated approval process to ensure they are actually authorized by the export control office to see this data.


Natively, sensitivity labels can be applied in multiple ways beyond requiring user intervention. For example, with G5 licensing, label policies can be written to programmatically apply labels based on location, content within a file, and other metadata. Additionally, labels can apply to containers; however, these labels do not offer direct enforcement and must be applied to the files directly to enforce compliance.

AvePoint’s Cloud Governance, however, enables you to programmatically apply sensitivity labels by container (SharePoint Site Collection, document library, etc) based on expected use captured during provisioning and automatically enforces appropriate permissions control – directly aligning with the ZTA principle of least-privileged access and verify explicitly, on or offline.

Then, you can confirm your security framework is effective using AvePoint’s Insights. Insights offers both a centralized dashboard and highly actionable reporting based on Microsoft’s sensitive information types and exposure. The solution allows you to manually audit your sensitivity labels, identify any risks based on factors like sharing permissions and classification of data, and adjust your security measures in response to what the tool finds.


For example, you may have categorized a workspace as “General,” but PII or other sensitive information is stored there. Insights will flag this oversight, allowing you to change the classification to content categorization “Confidential” and update the tags on the workspace and its content to ensure access to this sensitive data is limited.

Both Cloud Governance and Insights complement Microsoft’s native security measures, streamlining your tagging and then confirming all the work you’re doing to build your labels is keeping your sensitive data secure. Combining sensitivity labels with AvePoint solutions can help you programmatically secure your collaboration environment while following the key principles of Zero Trust Architecture.

Subscribe to our Microsoft 365 Government Community call for more tips and tricks on how to utilize M365 as a Federal agency, request a demo of our Zero Trust solution to make aligning with the federal mandate simple and seamless.

what is zero trust

You can also read more blog posts about Zero Trust and learn how to meet federal Zero Trust standards with Microsoft Sensitivity Labels in this webinar!

Stay up-to-date with our Zero Trust series by subscribing to our blog.

Antoine Snow is a senior solutions manager at AvePoint, leading the Public Sector business unit. He has held various positions in IT over the past several years ranging from front-end web developer to Microsoft 365 Service Owner. In his current role, Antoine focuses on governance and adoption challenges plaguing the modern workplace and helping government organizations understand the components of a governance strategy and its implementation. Antoine's views on these topics can be found in various blog posts and has been the focus of one-to-one workshops.

View all posts by Antoine Snow

I sell software, but my passion is to help translate the needs of the business into the capabilities of available technology. Over two decades in tech I have helped customers analyze collaboration solutions against actual mission needs in helping them select the best path based on their personal critical success factors. Per my training I’m a project manager (PMP), an engineer, an architect, and a designer; but ultimately, I’m a problem solver.

View all posts by Jay Leask

Subscribe to our blog