Azure Information Protection

With security, compliance and GDPR on everyone’s mind at the moment, I started testing and looking into a feature that builds on top of Microsoft’s Azure Rights Management.

Azure Information Protection is available as part of the Enterprise Mobility + Security suite which I will refer to it as AIP going forward.

AIP is a cloud-based solution that helps an organization to classify content, there are two main sku’s P1 and P2 the main difference being with P2 subscriptions you get intelligent automatic labelling of files.

The main features I’m excited about are:

  • Protection that travels with the data.
  • Enhanced control over shared data and reporting
  • Ability to protect data whether it’s stored on premises our in the cloud

Microsoft recommends that you stick the main 5 labels that have stood up against a great deal of community testing in different industries.

I think the main reason for the label names is due to simplicity and it also allows you to train people inside your organisations once and on one set of labels, anyone should be able to look at labels below and apply some logic and understand when they should be used.

  • Personal – Non-business data
  • Public – Business data that has been approved for public use
  • General –  The default, business data not approved for public consumption
  • Confidential
  • Highly Confidential

Sub-labels can be created for key departments, this allows you to narrow down who can access data to meet regulatory requirements or a business need.

As shown below if a user selects the Confidential/Finance label the document will be scoped to only finance users via a security group – meaning only people in that group can see the label and use it.

Legal Sub Cate.png

There is a small client that has to be installed on each machine and this is how the users interact with the feature it is simple and intuitive to use. For anyone wondering how easy it is to deploy, it is a small MSI that is easy to push out via your favourite method.

Based on the classification policies, users can have a default set, manually select a label, be prompted based on content, or have a classification automatically applied based on content the latter two are P2 features.

Once installed, users will see that a viewer and a toolbar inside the office suite are available, as seen below.

AIP Bar

Protection Icon

AIP Viewer

So…. how do I protect files? it’s really simple, as seen in the screenshot… In a word, excel or PowerPoint all you do is click on a label at the top of the document and hit save.

I’m my environment I have set the default as General, if the user tries to lower the classification they will be prompted for a reason…. which can then be flagged for someone to check.

Classification change

Another cool feature I like is that when you set a document to Highly Confidential I have made it automatically insert a watermark over the document.

H Conf - Watermark

Final Thoughts:

You can really tell the Microsoft have been working hard on this feature and focused on making it easy to deploy and use.

Teamed with the Cloud App Security addon you can expand this feature outside of Office 365 to other DLP and storage providers such as Dropbox.

Scoped policies teamed with sub-labels are great for projects/mergers and keeping the confidential data in-house.

I would say plan to automatically label some content and have your users label others this way you are not relying on one approach and will yield the best outcome.