Data protection should always get priority and must be on top of mind in organizations that store and transfer sensitive data. Especially in these days, when it’s more important than ever before to protect data. Also, after May 25th, 2018 organizations needs to be compliant and must follow the standards of the General Data Protection Regulation law (GDPR). Microsoft Azure Information Protection can contribute to this. So, it’s no surprise that the last few weeks customers ask me more often the questions what is Azure Information Protection and what can it do for our organization? Therefore, I will provide more information about the capabilities of Azure Information Protection in this blog post.
Azure Information Protection
Azure Information Protection (AIP) is a Microsoft solution that has the capabilities to define how to classify, store and transfer data. AIP will be applied on top of Azure Rights Management and has an integration for documents and e-mails. For example: if an employee of the financial department wants to send a document or e-mail containing sensitive information, AIP can be used to classify the document or e-mail. Depending on the classification, colleagues or external parties can or can’t access the document and/or e-mail message. It is also possible to see when and where documents are opened, and it is even possible to revoke the access from documents. Very high classified e-mails can also be prevented from being forwarded or to copy its content. Thus, AIP enables the classification and protection of data. Figure 1 shows the data classification labels configuration in Azure and figure 2 and 3 show an example of the labels in Outlook and Word, respectively.
Figure 1. Classification labels configuration in Azure.
Figure 2. Classification labels in Outlook.
Figure 3. Classification labels in Word.
Protect files and folders
Using AIP, it is also possible to apply classification labels on other files such as PDF’s. When right clicking on a PDF file the option “Classify and protect” will become visible, please see figure 4. It is also possible to select multiple files and/or folders and to track and revoke files.
Figure 4. Classify and protect other files and folders.
Because AIP is on top of Azure Rights Management, encryption of both documents and e-mails is possible. When a high classified label is configured with protection and this label is applied to a document, the document will be automatically encrypted. This encryption prevents access from unauthorized users. Figure 5 shows on the left a Word document on which a high classification label with encryption is applied. On the right a Word document is presented on which a low classification, without encryption is applied. As can be seen in figure 5, this document is displayed as an “Encrypted Package”.
Figure 5. On the left a Word document incl. high classification and encryption, on the right the same document without encryption.
Microsoft offers licenses depending on the functionalities that are needed. When using Azure Active Directory Premium P1, the user will have to apply data classification manually, while Azure Active Directory Premium P2 can do this automatically. Please refer to the following URL to see which license models are available: https://azure.microsoft.com/en-us/pricing/details/information-protection/
In the upcoming posts I will describe how to configure classification labels in Azure, what the prerequisites are for the AIP client, how to configure and apply transport rules and the possibilities of data loss prevention (DLP).