Protecting Your Organization's Data With Microsoft Azure Information Protection
Data is consistently shared between different services and devices across your enterprise, internally and externally. Organizations find it difficult to protect sensitive data from leaving the organization and identifying where is sensitive data located in their environment. Microsoft’s Azure Information Protection (AIP) is a cloud-based solution that discovers, classifies and protects sensitive organizational data by applying labels and encryption.
In This Article
Data is being shared between different users, devices, apps and services more easily than ever before. Organizations are consistently working with remote employees, partners, suppliers, customers and outsourced employees, and sensitive data is continuously shared outside the boundaries of the organization.
Some of today's data security concerns are:
- How can I identify sensitive data?
- How can I protect traveling data?
- How can I know the organizations data is safe?
To overcome these concerns, the first step is to classify and label data and next is to apply protection to sensitive data using encryption. Microsoft’s Azure Information Protection is a cloud-based solution that classifies and protects sensitive data no matter where it’s stored or to whom it’s shared with. This tool provides end-to-end protection and control of sensitive data which includes classification and labeling, data protection, data usage and monitoring, and responding to malicious data usage activities.
Classification and protection
Sensitive data such as personally identifiable information (PII), protected health information (PHI), financial information and sensitive company memos are at risk once they are accessed and shared by both internal and external users. To handle different levels of information sensitivity and appropriate protection, it’s important to define the classifications with standard recommended labels: Personal, Public, General, Confidential and Highly Confidential.
Azure Information Protection provides flexibility and integration across the Microsoft 365 ecosystem like Microsoft Office 365, SharePoint Online, Exchange Online and OneDrive for Business. Classification and protection stay with the data regardless of where its stored and to whom it's shared with. Azure Information Protection meets compliance and regulatory requirements, including FIPS 140-2, HSMs, ISO/IEC 27001:2013, SOC, HIPAA, BAA, EU Model Clause, PCI DSS and more.
With Azure Information Protection you get intuitive controls and integrations directly to Microsoft Office 365 apps and one-click options to easily classify and protect data. Persistent protection means data is always protected, regardless of where it's stored or to whom its shared with. Tracking, logging, reporting and monitoring allows more visibility and control over shared data and access can be revoked if required. Share data safely with customers and partners by specifying certain rights, such as view, review, copy, print, forward and edit. There’s flexibility to protect data whether its stored in the cloud or on-premise and options to use Microsoft managed keys for encryption or Bring Your Own Key (BYOK).
Implementing Azure Information Protection in your organization
Defining Azure Information Protection to classify and protect information enabled the ability to identify sensitive information and define security controls on data.
- Classification and labeling – Data classified based on content, context or source and can be applied automatically based on policies or manually by users.
- Protect data – Documents and emails can be encrypted. Authentication requirements and rights can be added by users or via policy.
- Monitor and respond – Users can track activities on shared files and revoke access when needed.
Getting started with Azure Information Protection (AIP)
To fully utilize Azure Information Protections capabilities, an AIP Unified Labeling client is required to be installed on a device. Azure Information Protection Unified Labeling client will automatically pull down the AIP policy templates to your Microsoft 365 Office Apps which are Outlook, Word, PowerPoint and Excel. Classifications and policies are defined at the organization level by the IT team.
Once the AIP client is installed, an Azure Information Protection bar will appear across the Microsoft Office Apps for quick and convenient selection.
The three labels will appear consistently across all Microsoft Office apps and in Outlook on the web. The Sensitivity icon in the top ribbon allows the ability to turn the Azure Information Protection bar on or off.
Note: As of writing this article, Microsoft has NOT enabled support for Azure Information Protection for Office online apps such as Word, Excel or PowerPoint on the web EXCEPT for Outlook on the web, which supports AIP capabilities.
Classification and labeling
Intuitive data classification and labelling allows for easy manual classification or automatic classification based on the content type. User driven classifications enabled users to manually select the appropriate label for the document or email and actions like visual marking of the document and encryption can be enforced using policies. Labels are metadata which is embedded in the document, so systems can easily read it and it stays with the document wherever it travels.
Each label opens up an information box explaining how to use the respective label.
Automatic classifications can be based on the organization information protection policies and in the content of the document, even if the user does not specify a classification before saving the document, the automatically classification will automatically apply the appropriate classification.
Visual labels and markers in the header, footer and watermarks can be added to the document to make users aware of the sensitivity of the document at a glance. Users can easily reclassify a document manually and if a lower sensitivity label is selected then they me asked for a justification.
Users can define custom access controls to further protect the documents and prevent over sharing. Custom permissions gives users the ability to provide granular controls in a Microsoft Office application or a file in File Explorer.
Classify and protect files in File Explorer
Classification and protection of files in File Explorer is as simple as right click and selecting Classify and Protect from the list of options.
With integration of Microsoft Outlook, Azure Information Protection gives users the ability to manually restrictions on emails by using the Do Not Forward feature which blocks the recipient’s ability to forward, copy or print emails and applies encryption. Another feature is the Encrypt feature which allows senders to encrypt email messages only. These features appear under the Options menu and by clocking the Permissions icon.
Azure Information Protection encryption is supported on popular public email addresses like Gmail, Hotmail and Yahoo. Upon receiving an encrypted email, recipients are taken to an access page where they are asked to sign-in with a one-time passcode or simply sign-in to view the message.
Monitor and respond
Azure Information Protection allows users the ability to track activities on shared files with rich logs and reporting tools to help IT teams monitor for regulatory and compliance purposes. End-users and administrators alike can easily revoke access to a shared document if they deem data has been overshared or if suspicious activity is suspected.
Azure Information Protection provides a comprehensive solution for protecting your organization’s sensitive data, from identifying the sensitivity of business data to protecting and tracking information usage. It helps you comply with organizational requirements for security and compliance.
Protection can be enforced on sensitive information when a document is being created or modified, and users have the flexibility to reclassify information sensitivity when they have a justified reason. Users can define their own access controls when sharing information outside the organization and always track and revoke access even after a document has left the organizational perimeter.
Questions or feedback? Leave a comment below or reach out directly to discuss your use case.