A laptop was lost or stolen, files were copied through a breach, or an incorrect file was simply attached to an email – things no IT Professional ever wants to hear. The need to know where, how and who is accessing important company data is an issue as old as it is ever-changing; Data Loss Prevention (DLP) is more important now than ever.
In the past, tight physical security protocols protected paper files in cabinets and knowing who held the key and who accessed them was done entirely through manpower. In the digital world, a hard copy is simply one of many manifestations of data and understanding how to protect information and how to restrict access because of the myriad of ways data can be accessed can quickly become overwhelming. How do companies ensure only the right people are accessing sensitive data? AIP addresses this need as a cloud-based solution helping to classify, protect through encryption, and track access to labeled documents and emails.
DLP vs AIP
What does Azure Information Protection (AIP) have to do with DLP? It’s one of many tools that Microsoft delivers to help companies protect their data.
Microsoft’s Office 365 Data Loss Prevention offering by itself is focused on compliance standards and regulations and informing administrators when information such as Personally Identifiable Information (PII) is found or shared in an environment. An example would be a PCI compliant company monitoring to ensure no credit card numbers are saved in SharePoint Online (SPO); the DLP policy would monitor SPO and, if CC numbers were found, restrict access until the original editor removes them or the file itself is deleted. In this scenario, DLP is protecting and monitoring information after it has been created within the Office 365 tenant.
Azure Information Protection protects individual files (or emails!) no matter where they live or are sent. AIP protections used to apply the protections and markings to the file are called labels.
“Labels? You mean the things in my filing cabinet?”
No, and it’s going to get a little confusing because in AIP they’re just called “labels.”
Applying a label can be done during the initial creation, afterward during an edit, or even using the client in the file explorer. The bonus of labels is they allow for classification of the type of business-critical information contained in a document. I’ve always thought it was easiest to imagine files and emails protected by AIP to be “wrapped”, meaning the file is encrypted and AIP is the gatekeeper. Once a file is wrapped there is an Access Control List (ACL) defined by the AIP label identifying who can do what to the file.
Options setting whether the file can be accessed offline or the expiration date can also be configured. What happens to the file regarding access, markings, expiration and protection all depends on the applied label. Each time a file is opened, it will check in with Azure to verify the user is authorized to do so. This ensures the data is protected at rest no matter where it happens to be resting.
After a document has been protected, it is possible to track who has accessed the document, been denied access and a rough geographical location of where it was accessed. This goes hand-in-hand with the capability to revoke access to the document. Once access has been revoked, no one is allowed to get back into the data except for the user who applied the protections or a delegated administrator
“Wait, what do you mean that it depends on the label?”
Yep, that’s correct, and there can be a lot of them if you choose to create them. As I’ve mentioned previously, labels are what AIP uses to assign protections stated. Labels are assigned to a policy and can only be assigned to one policy, then policies are assigned to users or distribution groups.
“Global” labels can be created and added to the native Global policy (e.g. company confidential) and applied to everyone in a tenant. Additionally, department-specific labels tailored explicitly for what protections they require will only be assigned to the policy delivering them to the intended users. There is even the ability to allow the creation of custom labels by users for specific one-off situations.
Unfortunately, this capability isn’t built into Office. A standalone downloadable ‘Azure Information Protection’ client application must be installed on each user’s machine to utilize the labels they are assigned. The client app includes an Office Add-in allowing users to assign labels as they work on Office Documents. The client also grants the ability to assign AIP labels while using file explorer, even to non-office documents such as a PDF file, meaning almost any file can be protected! For mobile access, there is an AIP viewer app which enables Android and Apple systems to open AIP protected documents. The Outlook Mobile app has the built-in ability to open AIP protected emails. Protected emails can’t be opened by some native email applications and will require the installation of the viewer. For a full list of supported OS/ Applications, please refer to Microsoft documentation.
One quick note, in Office 365 there is also “Sensitivity Labels” used in SharePoint however right now there is not much functionality difference if you use those over AIP. This might change in the future and Microsoft could merge the two or sunset one to simplify things.
In my next blog, I’ll get a little into the technical side of Azure Information Protection. If you have any questions, please feel free to reach out!